Aqua Security, the pure-play cloud-native security pioneer, publishes new research from Team Nautilus revealing a continued rise in cyberattacks targeting container infrastructure and supply chains, and showing that it can now take less than one hour to exploit vulnerable container infrastructure. The ‘Cloud Native Threat Report: Attacks in the Wild on Container Infrastructure’ provides a detailed analysis of how bad actors are getting better at hiding their increasingly sophisticated attacks. “The threat landscape has morphed as malicious adversaries extend their arsenals with new and advanced techniques to avoid detection,” said Assaf Morag, Lead Data Analyst with Aqua’s Team Nautilus. Greater potential impact “At the same time, we’re also seeing that attacks are now demonstrating more sinister motives with greater potential impact. Although cryptocurrency mining is still the lowest hanging fruit and thus is more targeted, we have seen more attacks that involve delivery of malware, establishing of backdoors, and data and credentials theft.” Team Nautilus uncovered a massive campaign targeting the auto-build of SaaS dev environments Among the new attack techniques, Team Nautilus uncovered a massive campaign targeting the auto-build of SaaS dev environments. “This has not been a common attack vector in the past, but that will likely change in 2021 because the deployment of detection, prevention, and security tools designed to protect the build process during CI/CD flow is still limited within most organisations,” added Morag. Dropping dedicated malware The results of this report were contributed as input into MITRE’s creation of its new MITRE ATT&CK Container Framework. MITRE ATT&CK is used worldwide by cybersecurity practitioners to describe the taxonomy for both the offense and defence cyberattack kill chain. The Aqua report presents a detailed analysis of the high-profile attacks that Team Nautilus uncovered. Key findings include: Higher levels of sophistication in attacks: Attackers have amplified their use of evasion and obfuscation techniques in order to avoid detection. These include packing the payloads, running malware straight from memory, and using rootkits. Botnets are swiftly finding and infecting new hosts as they become vulnerable: 50% of new misconfigured Docker APIs are attacked by botnets within 56 minutes of being set up. Crypto-currency mining is still the most common objective: More than 90% of the malicious images execute resource hijacking. Increased use of backdoors: 40% of attacks involved creating backdoors on the host; adversaries are dropping dedicated malware, creating new users with root privileges and creating SSH keys for remote access. Volume of attacks continues to grow: Daily attacks grew 26% on average between the first half and second half of 2020. Cloud-native environments Team Nautilus utilised Aqua’s Dynamic Threat Analysis (DTA) product to analyse each attack. Aqua DTA is the industry’s only container sandbox solution that dynamically assesses container image behaviours to determine whether they harbour hidden malware. This enables organisations to identify and mitigate attacks that target cloud-native environments well before deployment in production, which static malware scanners cannot detect. Aqua Security’s 2021 ‘Cloud Native Threat Report: Attacks in the Wild on Container Infrastructure’ is available now.
Aqua Security, the pure-play cloud native security solutions company, has published new research from Team Nautilus revealing that a significant majority of companies that move to multi-cloud environments are not properly configuring their cloud-based services. According to the new findings from Aqua Security’s ‘2021 Cloud Security Report: Cloud Configuration Risks Exposed’, these misconfigurations, for example leaving bucket or blog storage open, can open companies up to critical security breaches. 2021 Cloud Security Report When you consider that a single cloud misconfiguration can expose organisations to severe cyber risk" Reflecting the overwhelming amount of configurations that practitioners must address, even when companies are aware of errors, most have not addressed the bulk of these issues in a timely manner. Especially larger enterprises, as they take an average of 88 days to address issues after discovery. “When you consider that a single cloud misconfiguration can expose organisations to severe cyber risk, such as data breaches, resource hijacking and denial of service (DoS) attacks, the consequences of failing to address misconfiguration issues are all too real to ignore,” said Assaf Morag, Lead Data Analyst with Aqua Security’s Team Nautilus. Aqua Security’s research methodology & findings Over a period of 12 months, Aqua Security’s research team analysed anonymised cloud infrastructure data from hundreds of organisations. Users were divided into two groups, based on the volume of cloud resources that they scanned - SMB (small and midsize business), who scanned between one and several hundred resources and enterprise users, who scanned from several hundred up to a few hundred thousand distinct resources. The research findings point to important security gaps including: Less than 1% of enterprise organisations fixed all detected issues, while less than 8% of SMBs fixed all detected issues. More than 50% of all organisations receive alerts about misconfigured services, with all ports open to the world, but only 68% of these issues were fixed, taking 24 days on average. Over 40% of users had at least one misconfigured Docker API, taking an average of 60 days to remediate. Security posture issues across IaaS and PaaS accounts These findings point to numerous security posture issues across Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) accounts, which suggest both a lack of understanding, as well as an overwhelming number of issues requiring attention. Cloud-native applications improve agility by giving more people access to define the environment" “Cloud-native applications improve agility by giving more people access to define the environment, but we see many organisations move away from a centralised approach to security,” said Morag, adding “The traditional model of permitting only a small, highly skilled team of security practitioners to make all configuration changes has given way to a modern, decentralised approach. Development teams are making configuration decisions or applying services, and that can have dramatic implications for the security posture of an organisation’s production environment.” Causes of cloud-setting misconfigurations The Aqua report examines the mistakes that lead to five common types of cloud-setting misconfigurations - storage (bucket/blob) misconfigurations, identity and access management (IAM) misconfigurations, data encryption issues, exploitable services behind open ports, and container technology exploitation. The Aqua 2021 Security Report also provides recommendations on the best practices and policies that organisations can implement immediately, in order to mitigate the risk of cloud misconfigurations, including: Instituting a formal remediation process to prioritise issues. Treating all API issues as critical, as adversaries actively scanning for exposed API ports. Applying various IAM controls to establish layers of access control, such as multi-factor authentication (MFA) and identity federation. Proactively fixing cloud misconfiguration issues “Whether an organisation adopts a single or multi-cloud environment, it must be proactive in monitoring for and fixing service configuration issues that can unnecessarily expose it to threats,” said Ehud Amiri, Senior Director of Product Management at Aqua Security. Ehud Amiri adds, “Failure to do so will inevitably result in damage that can be much greater than the traditional OS or on-premises workloads.” Aqua Security’s '2021 Security Report: Assessing Cloud Infrastructure Risks' is available now.