Aqua Research Team

In September 2020, Aqua’s Team Nautilus detected a campaign that targeted the automated build processes of GitHub and Docker Hub. At that time we notified the affected services and they blocked the attack. Now, this campaign has resurfaced with vengeance. In just four days, the attackers set up 92 malicious Docker Hub registries and 92 Bitbucket repositories to abuse these resources for cryptocurrency mining.

Last week, TeamTNT launched a new campaign against Docker and Kubernetes environments. Using a collection of container images that are hosted in Docker Hub, the attackers are targeting misconfigured docker daemons, Kubeflow dashboards, and Weave Scope, exploiting these environments in order to steal cloud credentials, open backdoors, mine cryptocurrency, and launch a worm that is looking for the next victim. In this blog, I will explore these container images and what they were designed to do.

A new severe vulnerability was found in Unix and Linux operating systems that allows an unprivileged user to exploit this vulnerability using sudo, causing a heap overflow to elevate privileges to root without authentication, or even get listed in the sudoers file. In this blog, I’ll go over how this CVE can be exploited, what sudo versions are affected, and how to mitigate the issue.

It has certainly been a rough year and just as life constantly evolves, so do cyber threats. So, here are a few blogs by our cyber security research group, Team Nautilus, that got the most attention from cloud native security professionals. These blogs highlight how attackers continue to get more creative over time, as we cover container image exploitation, fileless malware, Kinsing malware, sophisticated evasion techniques, and much more.

A year of challenges isn’t quite over yet, as a new vulnerability was found in containerd, . When exploited, after providing a connection through the container to the host network, an attacker can gain root privileges on the host. This vulnerability was disclosed by Jeff Dileo of NCC Group, our investigation by Team Nautilus is aligned with his findings.

Our cyber research team detected a new type of attack that executes and runs malware straight from memory in containers, thus evading common defenses and static scanning. This malware is using a rootkit to hide its running processes, then hijacks resources by executing a crypto miner from memory — leaving a backdoor that enables attackers to do more damage. We found four container images in Docker Hub designed to execute fileless malware attacks.

Aqua’s Team Nautilus has uncovered a container image that, for the first time, allows bad actors to find and exploit vulnerabilities in Kubernetes clusters. The attackers propagate this malware through a Docker Hub lookalike account intended to dupe developers into downloading malicious images. To the best of our knowledge, this is the first known case where cyber attackers use this method to exploit cloud native stacks by specifically targeting weaknesses in Kubernetes clusters.

A new vulnerability was found in containerd, located in the container image-pulling process. The new CVE includes manipulation of the image manifest, allowing attackers to craft an image that can leak the host’s registry or cloud credentials when pulled from a registry. This leak occurs even before the image is running any code on your server. The CVE was found by Brad Geesaman who presented it in his "ContainerDrip" write-up, this blog post is based on that and summarises it, you can find the original write-up in the links below.

Over the past few weeks, TeamTNT grabbed headlines after launching several novel attacks against cloud native infrastructure. In response, Docker Hub decided to remove TeamTNT’s malicious images from its community and deleted the user 'Hildeteamtnt.' But just a few days later, TeamTNT reemerged with a catchy logo “Still alive” embedded in their scripts (although “still standing" by Elton John would have been more clever) and a brand-new Docker Hub account ‘kirito666.’ However, this time they didn’t settle for just swift account swapping, they returned with new and advanced techniques.