In 2020, our Nautilus research team saw yet more attacks targeting the cloud native supply chain and infrastructure. These security threats, including fileless malware in containers, taking advantage of misconfigured Docker API ports, and using container images for attacks are, admittedly, relatively unsophisticated. However, despite this lack of sophistication they are still successful, and it drives home the fact that there are still so many common security oversights which bad actors can take advantage of.
To date, the most commonly observed goal of bad actors has been to hijack compute cycles for cryptomining. However, we are beginning to see the trajectory changing and, with more container take up in enterprises, prizes will be greater and more sophisticated attacks will not be far behind.
Exploiting Misconfigured Docker API Ports
Enterprises using containers to develop applications as part of their digital transformation process or shift to the cloud will need to start thinking more about security and how to protect against this new generation of attacks. The first step to achieving this is to understand what the potential attacks are and how they work.
Last year, a new type of attack emerged where the attackers scanned for a misconfigured Docker API port, among other misconfigurations. They then used the misconfigured port to deploy and run a malicious image that contained malware that was specifically designed to evade static scanning. Packers (including encrypters), and downloaders are all able to evade static scanning by, for example, encrypting binary code that is only executed in memory, making the malware active only in runtime.
All hope is not lost though, it is still possible to detect and defend against these types of attacks. The key is to use dynamic analysis rather than static scanning.
The Future Landscape – Sights on Kubernetes
The attack described above was generally launched with the intention of hijacking resources for crypto-mining. Looking ahead to what’s to come in 2021 and beyond, we are likely to see cyber-attackers setting their sights more on Kubernetes, bringing greater focus to breaching Kubernetes deployments, and becoming more sophisticated in how they target Kubernetes environments, and where they take it once inside. While we did observe breaches in 2020 which were related to unprotected Kubernetes clusters, for the most part the bad actors took advantage of some common security oversights. When it comes to the more sophisticated attacks there are two possibilities: either they have not happened yet, or more likely, have happened but were not noticed. With Kubernetes in wider use, that will not continue be the case in 2021.
The Kubernetes landscape will also change in the year ahead. While the number of Kubernetes distributions has been expanding in recent years, as more organizations gravitate to cloud-based Kubernetes offerings, the number will actually begin to shrink. Quite simply, operations teams will not be able to justify maintaining many Kubernetes distributions and it is likely that companies that provide platforms for managing cloud native deployments over Kubernetes will stop maintaining their own distributions.
In 2020, attackers launched a large number of orchestrated attacks on the software supply chain, targeting build features on Docker Hub, Git Hub, Circle CI and others. They also showed their hand for 2021: their objectives will be far more sinister than simply cryptocurrency mining, and the techniques they use will expand significantly. Likely examples of this will include image look-alikes, open source project takeovers and typo squatting. Taking the time to understand the attacks launched last year will help prepare for the attacks to come.