Aqua Research Team

A year of challenges isn’t quite over yet, as a new vulnerability was found in containerd, . When exploited, after providing a connection through the container to the host network, an attacker can gain root privileges on the host. This vulnerability was disclosed by Jeff Dileo of NCC Group, our investigation by Team Nautilus is aligned with his findings.

Our cyber research team detected a new type of attack that executes and runs malware straight from memory in containers, thus evading common defenses and static scanning. This malware is using a rootkit to hide its running processes, then hijacks resources by executing a crypto miner from memory — leaving a backdoor that enables attackers to do more damage. We found four container images in Docker Hub designed to execute fileless malware attacks.

Aqua’s Team Nautilus has uncovered a container image that, for the first time, allows bad actors to find and exploit vulnerabilities in Kubernetes clusters. The attackers propagate this malware through a Docker Hub lookalike account intended to dupe developers into downloading malicious images. To the best of our knowledge, this is the first known case where cyber attackers use this method to exploit cloud native stacks by specifically targeting weaknesses in Kubernetes clusters.

A new vulnerability was found in containerd, located in the container image-pulling process. The new CVE includes manipulation of the image manifest, allowing attackers to craft an image that can leak the host’s registry or cloud credentials when pulled from a registry. This leak occurs even before the image is running any code on your server. The CVE was found by Brad Geesaman who presented it in his "ContainerDrip" write-up, this blog post is based on that and summarises it, you can find the original write-up in the links below.

Over the past few weeks, TeamTNT grabbed headlines after launching several novel attacks against cloud native infrastructure. In response, Docker Hub decided to remove TeamTNT’s malicious images from its community and deleted the user 'Hildeteamtnt.' But just a few days later, TeamTNT reemerged with a catchy logo “Still alive” embedded in their scripts (although “still standing" by Elton John would have been more clever) and a brand-new Docker Hub account ‘kirito666.’ However, this time they didn’t settle for just swift account swapping, they returned with new and advanced techniques. 

Aqua’s Team Nautilus detected an impressive campaign that set out to hijack resources to enable cryptocurrency mining. This operation focused on several SaaS software development environments, including Docker Hub, GitHub, Travis CI, and Circle CI, by abusing their automated build processes.

Ever notice how news about hidden malware almost always focuses on remediation AFTER the fact? So did we. Even now, there’s yet another news story about a rash of attacks by a group called TeamTNT. They used a crypto-mining worm to steal AWS credentials from Docker Hub. Well, if hijacking cloud resources is so popular, it’s time to make finding threats BEFORE the attack just as fashionable. Our investigation determined that dynamic analysis could have saved some overworked security teams a lot of time and aggravation — if these images were detected and removed from Docker Hub before being deployed — in much the same way it helps security teams with their private registries.

We have some exciting news about two new features in Tracee, Aqua’s open source container and system tracing utility. Now, Tracee is much more than just a system call tracer, it’s a powerful tool that can be used to perform forensic investigations and dynamic analysis of binaries – both are incredibly useful when looking for hidden malware. Tracee can provide users with timely insights that previously required special knowledge and tools.

We at Team Nautilus - Aqua’s cyber security research team - discovered a new type of attack against container infrastructure. The attacker exploits a misconfigured Docker API port in order to and a malicious container image on the host. As far as we know, this is the first time that an attack in which the attacker builds an image rather than pulling it from a public registry is observed in the wild.