Aqua Security said in its 2020 Cloud-Native report that botnets attack over fifty percent of newly misconfigured dockers. The cloud-based security agency said it took the attacker an average of five hours to scan the new honeypot. Aqua Security noted that most of the attacks were focused on crypto mining, which “could be considered more of a nuisance than a serious threat.” However, 40% of the attacks also involve the back door of the victims gaining access to the environment and networks.
The back doors were enabled by removing dedicated malware or creating new users with key benefits and SSH keys for remote access. Insects are involved in identifying and infecting new victims in more than 36% of attacks. Opponents continue to search for new ways to attack cloud-native environments. The Aqua Security study noted that they only look for 2375 ports (encrypted docker connections) and other ports related to cloud-native services. The campaign was aimed at supply chain, automated code processing, registry and CI service providers.
There have also been attacks via Docker Hub and GitHub where opponents rely on typographic errors or misspellings of popular public projects, to drive developers to extract and run container images or packages of malicious code. Attackers are expanding their arsenals with new and advanced technology to avoid detection, such as taking advantage of enhancement strategies to protect containers on host machines.
The report was analyzed using Dynamic Threat Analysis (DTA) tools of Aqua Security, powered by the open source Tracy Project. The software enables users to perform runtime protection and forensics in a Linux environment using EBPF (a Linux firewall framework). The attacker’s strategies were classified according to the meter ATT and CK structures for a complete and extended arsenal map of the attackers from initial access to data acceleration and everything in between. Between June 2019 and December 2020, the Aqua team observed that botnets quickly detect and infect new hosts because they are at risk.
The team observed the personal “honeypot” attack with greater practice in terms of disadvantaged growth, privacy and perseverance. The average number of attacks also increased: from 12.6 per day in the second half of 2012 to 77 per day in the first half of 2020.
