The second annual threat report from the Sysdig Threat Research Team (Sysdig TRT) is packed with their findings and analysis of some of the hottest and most important cybersecurity topics this year. Threat actors are really embracing the cloud and are using it to their advantage to evade detection and speed up their attacks.
In the 2022 Cloud-Native Threat Report, the Sysdig TRT profiled TeamTNT, a cloud-native threat actor that targets both cloud and container environments, primarily for cryptomining purposes. The Sysdig TRT showed that cryptojacking costs victims $53 for every $1 that an attacker generates on stolen resources. The team also focused on security of the software supply chain by reporting on malicious containers within public image repositories. Some of those malicious images were used in distributed denial of service (DDoS) campaigns associated with Russia’s invasion of Ukraine, which included participation from both threat actors and civilian supporters.
This year, the Sysdig TRT explored targeted cloud attacks against industry verticals, showing that the telecommunications and financial sectors are most frequently in the crosshairs. The team found that cloud attackers are living off the air, evolving their techniques and toolkits in sophisticated ways by leveraging cloud services and cleverly abusing common misconfigurations. Using their worldwide honeynets, the Sysdig TRT shed light on an alarming truth: Attacks in the cloud are lightning fast, with mere minutes being the difference between detection and serious damage.
Last, but certainly not least, the team advanced its research on supply chain security. The team explored software repositories as attack targets and revisited the subject of hidden malicious images, some of which can only be identified with runtime security controls.
We’ll review some of these highlights below, but you can download the full report for additional details.
Cloud Automation and Speed, Weaponized
As more organizations are transitioning to cloud-native environments and the complexity of these environments increases, attackers are using this to their advantage. Reported attacker dwell time continues to decrease, which means that defenders are doing their jobs well and finding attackers in their environments quicker. Mandiant said dwell time was only 16 days before an organization found it was compromised. Attackers know they have less time to act before they are caught. Within five minutes of credential discovery, a targeted attack has already begun. In another five minutes, the attacker will have accomplished their goals, whether they be privilege escalation, destructive, or financially motivated.
How are attackers moving so quickly through their attack chain? They are using automation. Automated reconnaissance and discovery tools go to work when an opportunity, or credential, presents itself, so the attacker has the lay of the land in no time. Attackers use tools to continually scan for opportunities, such as publicly-exposed credentials. Upon initial access, they instantly gather as much information as possible about the victim’s environment.
Attackers are Operating in Stealth Mode
Not only are cloud attackers fast, they are making it harder for defenders to find them too. They are living off the air by using the complexity of the cloud to blend in. By using existing cloud services and policies to move through a victim’s cloud environment, IoC-based defenses are ineffective and advanced cloud threat detection is a must.
We found evidence of attackers obfuscating their source IP address using AWS VPCs. These spoofed IPs will show up in the victim’s CloudTrail logs, therefore appearing benign and bypassing the typical security measures that rely on source IP addresses. This makes it harder for defenders to differentiate an attacker from normal IP addresses used in the internal network.
In another sophisticated attack described in the report, we witnessed an attacker taking advantage of AWS CloudFormation to give themselves multiple privilege escalation opportunities. Roles might be locked down, but if the organization is using CloudFormation, it may offer another route to get the privileges the attacker needs.
The Need for Runtime
The team dug deeper this year using their custom-built DockerHub scanner and found out exactly how many malicious images your standard static analysis and vulnerability scanning misses. It turns out, runtime analysis found an additional 10% of hidden malicious images that the combination of static analysis and vulnerability scanning did not pick up on.
The Sysdig TRT also expanded their research beyond DockerHub to find out where else attackers were lurking. PyPi repositories received the most unique interactions, which is likely due to a couple things: the use of Python in AI and the recent supply chain attacks using the repository. The team also saw Helm charts in GitHub highly targeted by attackers looking for credentials. Helm is the most popular tool for configuring Kubernetes clusters, and compromising Helm can allow an attacker to compromise an entire Kubernetes cluster.
Conclusion
Attackers are embracing and taking full advantage of the same cloud resources that defenders and security managers are using. They will only continue to become more savvy as cloud-native tools and applications are the primary means of networks and security. As CSPs and security vendors continue to improve their security offerings, we expect to continue seeing supply chain compromises as a priority for both attackers and defenders alike.
Want more? Download the full 2023 Global Cloud Threat Report for more attack details and analysis. You can also find all of Sysdig TRT’s blogs here.