Cyber attackers are leveraging privilege escalation techniques and attempting to escape from within the container to the host machine, as they continue to advance and adapt their tactics, targeting both the software supply chain of cloud-native applications, and their infrastructure, researchers from Aqua Security’s Team Nautilus revealed in a report on Monday.
The report, titled ‘Cloud Native Threat Report: Attacks in the Wild on Container Infrastructure’ has collected data from honeypots over a period of six months, and in that period the researchers observed 17,358 individual attacks, as the attack volume continued to increase, growing by 26 percent between the first half and second half of 2020. The report provides a detailed analysis of how bad actors are getting better at hiding their increasingly sophisticated attacks, and the researchers expect a continued rise in cyberattacks targeting container infrastructure and supply chains, showing that it can now take less than one hour to exploit vulnerable container infrastructure.
Adversaries keep searching for new ways to attack cloud-native environments, and identify massive campaigns targeting supply chains, the auto-build process of code repositories, registries, and critical infrastructure (voipCI) service providers, the researchers said in the report. This was not a common attack vector in the past, as the hackers are getting better at hiding their attacks using advanced techniques, such as executing malware straight from memory, packing binaries, and using rootkits.
Attackers are also saving resources and becoming more efficient by using readily available offensive security tools, according to the Aqua Security report. This helps the cyber attackers to find vulnerabilities and exploit them, and saves the time of developing their own tools, the report said. While many attacks set crypto-currency mining as their objective, some attempt to hide more sinister objectives, such as backdoors, malware deployments, and credential theft, it added.
The report also highlighted that adversaries are continually looking for new and sophisticated ways to improve their nefarious attacks. Hiding an attack during a CI build can succeed in most organizations’ CI environments. The attack targets supply-chain processes and could be modified to target other hidden supply chain components, processes, or even the build artifacts themselves, which can pose a severe threat.
The Aqua Security results were contributed as input into MITRE’s creation of its new MITRE ATT&CK Container Framework, used globally by cybersecurity practitioners to describe the taxonomy for both the offense and defense cyber-attack kill chain.
MITRE ATT&CK is used worldwide by cybersecurity practitioners to describe the taxonomy for both the offense and defense cyber-attack kill chain. Since then, MITRE has updated the ATT&CK framework specifically for containers, so now the Aqua Security classification reflects this new framework.
U.S. and U.K security agencies released last month a joint cybersecurity advisory on the SolarWinds supply chain attack pinning the blame on the Russian Foreign Intelligence Service (SVR) hackers. The advisory also identified further TTPs (tactics, techniques, and procedures) associated with these cyber hackers, as the SolarWinds Orion products are currently being exploited by malicious actors that permits an attacker to gain access to network traffic management systems.
The U.S. administration has taken numerous measures to secure the nation’s critical infrastructure. Last week, the National Security Agency (NSA) released a Cybersecurity Technical Report that provides best practices and mitigations for securing unified communications (UC) and voice and video over IP (VVoIP) call-processing systems. The agency also published an abridged Cybersecurity Information Sheet to capture key takeaways, and introduce the steps organizations should take when securing their UC/VVoIP systems.
The communications systems have emerged as workplace call-processing systems that provide a variety of collaboration tools, as well as the flexibility to communicate using voice, video conferencing and instant messaging, the NSA said in its statement. However, the same IP infrastructure that enables UC/VVoIP systems also extends the attack surface into an enterprise’s network, introducing vulnerabilities and the potential for unauthorized access to communications, the NSA said.
Such vulnerabilities are harder to reach in earlier telephony systems, but now voice services and infrastructure are accessible to malicious cyber attackers, who penetrate the IP network to eavesdrop on conversations, impersonate users, commit toll fraud, or perpetrate a denial of service effects. High-definition room audio and video could also be covertly collected.
The NSA guidance comes barely within two weeks of a similar set of recommendations from the Cybersecurity and Infrastructure Security Agency (CISA) that called upon critical infrastructure (CI) owners and operators to review their systems, as the U.S administration responded to the recent increase in ransomware attacks targeting operational technology (OT) assets and control systems.