The inaugural 2022 Sysdig Cloud-Native Threat Report exposes some of the year’s most pervasive and costly cloud threats. As organization’s use of containers and cloud services continues to grow, attackers are turning their attention to the cloud.
Just one threat actor can make substantial gains by simply taking advantage of misconfigurations and old exploits. They can earn thousands of dollars, almost passively off of their victims’ cloud infrastructure.
Containers allow developers to get infrastructure up and running fast, but if malicious code is hidden inside by an attacker, the entire infrastructure can be compromised.
However, not all threat actors are about profiteering. The conflict between Russia and Ukraine shows a cyberwarfare component with government-supported threat actors and civilian hacktivists taking sides.
Cryptomining is increasingly popular among profit-motivated threat actors. With a much lower overhead than ransomware, the miner only needs to run on a computing resource, then they can start cashing in. And because many cryptocoins are private, it’s easier to not get caught. You don’t hear a lot of stories of cryptojackers going to jail!
Looking at TeamTNT, a notorious cloud-targeting threat actor, made at least $8,100 in directly attributed cryptowallets, which cost victims more than $430,000. While $8,100 isn’t massive, it’s passive income for the criminal and a monstrous bill for someone else.
The 2022 Sysdig Cloud-Native Security and Usage Report also shows that 61% of all images pulled come from public repositories. Attackers are aware this is how code is assembled today, so they’ve turned public repositories into an attack vector.
To investigate, the Sysdig Threat Research Team (Sysdig TRT) built a custom system to scan Docker Hub and identify malicious container images using both static and runtime analysis.
The team scanned more than 250,000 images, and the results showed that threat actors are actively using Docker Hub to spread malware. This mostly comes in the form of cryptojackers, however, malicious websites, hacking tools, and other unwanted software was also found in the images.
Organizations need to be careful not to use these malicious container images by accident, as it can lead to a much larger compromise through a supply chain attack. To protect customers, the Sysdig TRTmaintains a continually updated feed of known bad container images, using their SHA-256 hashes.
When the Russia-Ukraine conflict started, a cyberwar also began between the two countries. This is the first time cyberwarfare operations have been used in military operations in such a public way. Over 150,000 volunteers joined the Ukrainian side of this cyberconflict as hacktivists.
Distributed denial of service (DDoS) and destructive attacks using hard drive wipers were the hallmark of the cyberwar, at least on the public facing side. Hacktivists from both sides have largely participated by joining the DDoS attacks. Almost immediately after the invasion started, The Sysdig global honeynet began to see a sharp rise in the amount of DDoS malware being installed. Before this, most of the malware was related to cryptojacking.
Conflict participants used containers to get involved. DDoS tools with configurations that allowed users to automatically pull down target lists were pre-installed and rapidly distributed in Docker containers. These containers were shared using public repositories like Docker Hub. This lowered the bar substantially for people to get involved and increased the amount of participation on both sides.
Attackers are starting to understand the value of cloud resources, whether for cryptomining, data theft, or as attack platforms. This trend will continue as more companies move from on-premise to cloud. That logic extends to containers, which are becoming another dependency that needs to be considered when thinking about threats to the supply chain. While the geopolitical situation as a whole is beyond the scope of the report, these events will continue to involve cyber more and more as countries start to depend on the resources that have moved to cyberspace.
Security and DevOps teams need to watch for these threats as they work to secure their cloud infrastructures. Visibility into cloud and container environments is critical as threats start to make use of these resources.