Attacks against container infrastructure are continuing to increase in both frequency and sophistication. It takes just a few hours for scanning tools to detect a new vulnerable container online. The attacks are becoming more evasive, while the supply chain is now insreasingly targeted.

New report reveals worrying trends

A report from Aqua Security’s Team Nautilus reveals that attacks targeting companies’ container infrastructure, including Docker images, have climbed nearly 600% in a year.
  • Typosquatting and credential stuffing are two of the most common ways that attackers use to target servers hosting Docker daemons or Kubernetes containers.
  • When attackers gain access, they most often install cryptomining software or attempt to escape the container and compromise the host system.
  • More than 90% of these attacks are designed to hijack resources for cryptomining. Most of these are related to the Kinsing malware campaign, which downloads cryptominers.

TeamTNT APT makes the most of it

  • The recent mass compromise of IPs via Kubernetes or K8s containers between March and May by TeamTNT is one such example that highlights the scale of the supply chain impact.
  • Researchers confirmed that close to 50,000 IPs were compromised by the gang across multiple clusters.
  • Some of these IPs were repeatedly exploited during this period to launch a large-scale cryptojacking attack.

What do researchers say?

The rise in the abuse of container platforms for cryptojacking attacks is a potential short-term gain in terms of profit for attackers. However, researchers explain that the long-term goal of such attacks is gaining a backdoor to the environment and achieving additional access to the victims’ environments and networks.

What else is in store?

Researchers are also wary about the increase in sophistication, especially in terms of evasion techniques. Attackers are using better-evolved techniques, including packers such as UPX and ezuri, to hide malicious payloads. Therefore, organizations must start adapting and updating their new techniques to defend their container infrastructures.

Cyware Publisher