One 2021 study suggests that cloud native environments are the second-most attractive targets after crypto, due to the broad attack surfaces.

In new cyber research using honeypots to lure attackers into monitored environments, it has been found that threat actors are adopting more sophisticated techniques, leveraging multiple attack components, and shifting attention to Kubernetes and the software supply chain.

The evolving new methods to target cloud native environments were second only to crypto hacking tactics, techniques and procedures. However, the research unveiled an increased usage of backdoors, rootkits and credential stealers, which were signs that intruders had more than just crypto mining in their plans.

In 54% of attacks (up 9% compared with the situation in 2020), backdoors were encountered, while malicious container images containing worms were found in 51% of incidents—up 10% compared with 2020 data.

Threat actors studied in the research had also broadened their targets to include CI/CD and Kubernetes environments, up 9% compared with 2020 figures. In this threat vector, 19% of malicious container images analyzed targeted Kubernetes, including kubelets and API servers.

Other key findings

In addition to using honeypots are bait, the research also involved studying images and packages from public registries and repositories. Key findings include:

  • The proportion and variety of observed attacks targeting Kubernetes had increased, including wider weaponization of Kubernetes UI tools.
  • Supply chain attacks represented 14.3% of the particular sample of images from public image libraries, point to their effectiveness in attacking cloud native environments.
  • Multiple malicious techniques, including known malware, fileless execution, reverse shell executions and files that were downloaded and executed from memory, had been quickly adopted to exploit the Log4j zero-day vulnerability—emphasizing the need for runtime protection.
  • Although the threat group TeamTNT had announced its retirement in Dec 2021, they attacked the honeypots in this research project. However, no new tactics were used, so it is unclear if the group was still in operation or if the ongoing attacks had originated from automated attack infrastructure. Regardless, cyber defense teams should continue preventative measures against this group and similar threats. 

According to Assaf Morag, Threat Intelligence and Data Analyst Lead, Team Nautilus, Aqua Security, the firm that conducted the research: “Cloud native environments now represent a target for attackers, and the techniques are always evolving. The broad attack surface of a Kubernetes cluster is attractive for threat actors, and then once they are in, they are looking for low-hanging fruit. Security practitioners, developers and DevOps teams must seek out security solutions that are purpose-built for cloud native. Implementing proactive and preventative security measures will allow for stronger security and ultimately protect environments.”

Morag added that organizations should secure their cloud native environments with runtime security measures, a layered approach to Kubernetes security, and total visibility across the entire cloud native stack.