Supply Chain Cyber Attacks Increasing
June 22, 2021
research from Team Nautilus revealed a continued rise in
cyberattacks targeting container infrastructure and supply
chains, and showing that it can now take less than one hour to
exploit vulnerable container infrastructure. The Cloud Native
Threat Report: Attacks in the Wild on Container Infrastructure
provides a detailed analysis of how bad actors are getting
better at hiding their increasingly sophisticated attacks.
“The threat landscape has morphed as malicious adversaries
extend their arsenals with new and advanced techniques to avoid
detection,” said Assaf Morag, Lead Data Analyst with Aqua’s Team
Nautilus. “At the same time, we’re also seeing that attacks are
now demonstrating more sinister motives with greater potential
impact. Although cryptocurrency mining is still the lowest
hanging fruit and thus is more targeted, we have seen more
attacks that involve delivery of malware, establishing of
backdoors, and data and credentials theft.”
Among the new attack techniques, Team Nautilus uncovered a
massive campaign targeting the auto-build of SaaS dev
“This has not been a common attack vector in the past, but that
will likely change in 2021 because the deployment of detection,
prevention, and security tools designed to protect the build
process during CI/CD flow is still limited within most
organizations,” added Morag.
The results of this report were contributed as input into
MITRE’s creation of its new MITRE ATT&CK Container Framework.
MITRE ATT&CK is used worldwide by cybersecurity practitioners to
describe the taxonomy for both the offense and defense
cyberattack kill chain.
The Aqua report presents detailed analysis of the
high-profile attacks that Team Nautilus uncovered. Key findings
levels of sophistication in attacks: Attackers have amplified
their use of evasion and obfuscation techniques in order to
avoid detection. These include packing the payloads, running
malware straight from memory, and using rootkits.
Botnets are swiftly finding and infecting new hosts as they
become vulnerable: 50% of new misconfigured Docker APIs are
attacked by botnets within 56 minutes of being set up.
Crypto-currency mining is still the most common objective: More
than 90% of the malicious images execute resources hijacking.
Increased use of backdoors: 40% of attacks involved creating
backdoors on the host; adversaries are dropping dedicated
malware, creating new users with root privileges and creating
SSH keys for remote access.
Volume of attacks continues to grow: Daily attacks grew 26% on
average between the first half and second half of 2020.
Team Nautilus utilized Aqua’s Dynamic Threat Analysis (DTA)
product to analyze each attack. Aqua DTA is the industry’s only
container sandbox solution that dynamically assesses container
image behaviors to determine whether they harbor hidden malware.
This enables organizations to identify and mitigate attacks that
target cloud native environments well before deployment in
production, which static malware scanners cannot detect.