Aqua Research Team

The cloud native threat landscape is evolving fast, with . While adversaries are constantly advancing their techniques to craft more sophisticated and targeted attacks, organizations are leaving themselves exposed. analyzes attacks observed in the wild and identifies major trends in the threat landscape for container supply chain and infrastructure. What insights can we learn from the findings?

The past couple of years have seen a rise in software supply chain attacks, with the most salient example being the Solarwinds attack. As production environments have gained multiple layers of protection, and much of the attention of security teams, malicious actors have set their sights on “poisoning the well”, i.e., target where applications are developed or their building block components. But what does this mean for cloud native? Are cloud native applications more susceptible to supply chain attacks? Let’s try to answer these questions, using examples from Aqua’s Team Nautilus cyber research findings from attacks observed in the wild.

In April, MITRE published the ATT&CK matrix for Containers covering adversarial techniques that target container technologies. At Aqua, we were proud to support this effort by sharing our knowledge and helping refine and extend the matrix. As for the risks in Kubernetes, Microsoft created a framework for Azure-based environments (AKS), but what about vanilla K8s? We incorporated techniques that Aqua researchers have observed in real-world attacks and developed our own dedicated threat matrix for Kubernetes, mapped to the MITRE ATT&CK Framework.

Insufficient access restrictions, permissive storage policies, and publicly exposed assets are only a few of the mistakes companies make when configuring their cloud infrastructure. The scale of the problem is mind-blowing, with 90% of organizations being vulnerable to security breaches due to cloud misconfigurations. Aqua’s Cloud Security Report sheds light on the most common cloud configuration issues in real production environments.

A recent security incident disclosed by Codecov has again placed the spotlight on supply chain attacks. Looking at the details of the incident and how the system operated, it’s clear that organizations should make changes to how they use third party services as part of their Continuous Integration (CI) pipelines. So what can you do to reduce the risk of this occurring?

Java Debug Wire Protocol (JDWP) is a great way to remotely debug applications during development. However, if enabled when shipped to production, hackers can exploit this mistake by running an arbitrary code that allows initial access or privilege escalation in your production environment. Using Aqua’s Dynamic Threat Analysis (DTA) scanner, we at Team Nautilus detected dozens of misconfigured container images in Docker Hub, which belong to large organizations and may expose them to severe risk when running in production. In this blog, I will show how attackers can exploit this misconfiguration and explain the threats to containers and Kubernetes.

In September 2020, Aqua’s Team Nautilus detected a campaign that targeted the automated build processes of GitHub and Docker Hub. At that time we notified the affected services and they blocked the attack. Now, this campaign has resurfaced with vengeance. In just four days, the attackers set up 92 malicious Docker Hub registries and 92 Bitbucket repositories to abuse these resources for cryptocurrency mining.

Last week, TeamTNT launched a new campaign against Docker and Kubernetes environments. Using a collection of container images that are hosted in Docker Hub, the attackers are targeting misconfigured docker daemons, Kubeflow dashboards, and Weave Scope, exploiting these environments in order to steal cloud credentials, open backdoors, mine cryptocurrency, and launch a worm that is looking for the next victim. In this blog, I will explore these container images and what they were designed to do.

A new severe vulnerability was found in Unix and Linux operating systems that allows an unprivileged user to exploit this vulnerability using sudo, causing a heap overflow to elevate privileges to root without authentication, or even get listed in the sudoers file. In this blog, I’ll go over how this CVE can be exploited, what sudo versions are affected, and how to mitigate the issue.