#### Cloud Native Threat Report
# Attacks in the Wild on the Container Supply Chain and Infrastructure

June 2021


June 2021


-----

## Table of Contents

###### 3 Introduction

 4 Key Findings 5 Attack patterns overview

 6 Observed attacks on cloud native

 6 Attacks by image classification 7 Behavior and trend analysis 10 Attacking IP addresses (inbound communication)

 12 Analysis Based on MITRE ATT&CK Framework
 for containers

 13 Detailed analysis

 29 Conclusions

 31 Appendix A: Detailed analysis of the attacks

 33 Appendix B: How we analyzed the attacks


-----

**Attacks trend between June 2019 and Dec. 2020**

**Number of**
**Honeypots Attacks**

18,000

15,000

14,000

**26%**

12,000 **17,521**

10,000 **450%** **13,854**

8,000

6,000

4,000

2,000

**2,516**

0

**H2** **H1** **H2**
**2019** **2020** **2020**


-----

###### Key findings

 • [Bad actors are getting better at hiding their attacks using advanced techniques, ]
such as executing malware straight from memory, packing binaries, and
using rootkits

###### • [Attackers are leveraging privilege-] Massive campaigns
escalation techniques and attempting
to escape from within containers to the **targeted supply chains,**
host machine

###### • [Adversaries keep searching for ] the auto-build process
new ways to attack cloud native
environments. We identified massive **of code repositories,**
campaigns targeting supply chains,
the auto-build process of code **registries, and CI**
repositories, registries, and CI service
providers. This was not a common attack **service providers**
vector in the past



###### • [Adversaries are saving resources and becoming more efficient by using readily-]
available offensive security tools. This helps them to find vulnerabilities and exploit
them, and saves the time of developing their own tools

###### • [While many attacks set crypto-currency mining as their objective, some attempt to ]
hide more sinister objectives, such as backdoors, malware deployments, and
credential theft

###### • [Attack volume continued to increase, growing by 26% between H1 and H2 of 2020]


-----

behaviors and network communication, see Appendix A.

Sophisticated
Attacker

Docker Daemon

Privilege escalation and persistence Worm aimed to find more victims

Backdoor Shell Cron job Container Random/ Worm Scanning for misconfigured Sending data to the
(Insert new script on the host escape alpine:latest script docker daemons attacker’s C2 server
SSH keys)

Privilege escalation and persistence Resource Hijacking

Packed

ELF binary Shell script ELF binary

Code executed Code executed
from memory from memory

Rootkit deployed Python Script
on host

Backdoor

IRC server Tsunami Offensive Security Tool - Post Cryptominer Crypto mining pool
Attacker’s command malware exploitation SSH keys stealer moneroocean[.]stream
and control


Privilege escalation and persistence

Backdoor Shell Cron job Container
(Insert new script on the host escape
SSH keys)


-----

## Observed attacks on cloud native

We classified the attacks based on the level of sophistication used in the container
images, and on their impact.

###### Attacks by image classification 

 Legitimate image name

These attacks use a dedicated image that delivers and executes malicious code.
Additionally, the author of the image might use various techniques to avoid detection,
such as turning off security tools or obfuscating files. In most cases, the level of
complexity is medium. The adversaries design the image and place it in Docker Hub,
using a misleading name, for example, Nginx.

###### Vanilla image — malicious command

This type of attack uses a vanilla, or innocuous-looking image such as Alpine or
Ubuntu, not designed to deliver a payload or run malicious code. The payload is
delivered and initiated at a later stage by the entry-point command that downloads
malicious components during runtime. The adversaries use the latest version of an
official and popular vanilla image for instance, alpine: latest.

Using an official and seemingly benign image increases the chances of passing a
security scan by most security tools, since it should not have any vulnerabilities or
malicious components. Some organizations permit the use of images only from a
predetermined, explicitly allowed list. Using an official, popular image increases the
chances that the attack will be executed as planned since these images are likely to
be pre-approved for use.

###### Building directly on hosts

In the second half of 2020, we saw a new type of attack — building the image directly
on the target host. The adversaries used a Docker SDK for Python package to send
commands to a misconfigured Docker API. The attack sequence started by sending


-----

and avoid detection or blocking by security tools.

**Image types used to conceal the campaigns**

5.5%

0.01%​​

Legitimate image name ​

94.5%​​

Build on host

Vanilla images ​​


d **[Blog](https://blog.aquasec.com/malicious-container-image-docker-container-host)**
t. [Threat Alert: Attackers Building](https://blog.aquasec.com/malicious-container-image-docker-container-host)

[Malicious Images Directly on Your Host ›](https://blog.aquasec.com/malicious-container-image-docker-container-host)


###### Behavior and tr


-----

try new ways to penetrate and exploit vulnerable environments.

**Distribution of attacking images used per day**

30%

25% **26%**

20%

**22%**
**21%**

**18%**

15%

10%

**10%**

5%

**1%** **1%** **1%**

0%

1 2 3 4 5 6 7 8

**Number of attacking images used per day**


-----

little to no month-to-month difference.

**Average number of attacks per day**

**97.3**

**77**

**12.6**

**H2** **H1** **H2**
**2019** **2020** **2020**


-----

**Our honeypots recorded incoming traffic**

**17.3%**

**15.9%**

Russia 17.3% ​

US 15.9%


-----

###### Command and control (C2) server communication

We found that most outbound communication was with C2 servers (marked as
malicious), mining pools, and code repositories.

###### Malicious C2 servers

 • [Communication:][ Most communication was with the C2 servers of the Kinsing ]
malware (93.189.43.3, 91.215.169.111, 45.10.88.102, 195.3.146.118, 193.33.87.219), but
this is not surprising since most attacks were related to the Kinsing malware

###### • [IP Addresses:][ We clustered the IP addresses based on their CIDR ranges and ]
found that the most frequent communication (top 20) was with AWS IP addresses.
Most of the IP addresses pointed to S3 buckets, which may imply that attackers
communicate with S3 buckets (CIDR 52.216.0.0/15)

###### • [Cloud metadata theft:][ We’ve also seen communication with internal ranges ]
(192.168.0.0/24), which may indicate that attackers are seeking cloud metadata.
For instance, 169.254.169.254 is used in Amazon EC2 metadata. Under the cloud
shared responsibilty model, customers should ensure that access to EC2 metadata
should follow the principle of least privilege access. By default, EC2 metadata has no
permissions

###### • [Mining pools: ][A DNS lookup (for example, 35.163.175.186 and 185.10.68.220) is used ]
to retrieve the IP address that is registered under the searched domain. DNS lookup
requests showed that most retrieved IP addresses were reported as malicious C2
servers. The attackers are using various techniques such as tunneling to the local
host (ngrok.io), reverse proxy (fastly), and public code repositories
(GitHub, Bitbucket)

###### Scanners and attackers

It takes 5 hours, on average, for the adversaries’ bots to scan a new honeypot. The
fastest scan occurred after a few minutes, while the longest gap was 24 hours. The
median was only 56 minutes, meaning that in 50% of the cases, the adversaries
found the honeypot in less than one hour. These findings emphasize the immense
significance of detecting and remediating cloud misconfigurations promptly or
preventing them from occurring before deployment. Practitioners need to constantly
be aware that the slightest misconfiguration, even for a brief moment, might expose
their containers and Kubernetes clusters to a threat of cyberattack.


-----

|Initial Access Exploit Public-Facing Application|Execution Container Service (New)|Persistence Host mount (new) - Using host mount for persistence|Privilege Escalation Escape to Host (new)|Defense Evasion Build Image on Host (New)|Credential Access Brute Force: Password Guessing|Command & Control Application Layer Protocol - As an example we saw few attacks using IRC channels using a malware (Tsunami)|Discovery Container Resource Discovery (New)|Data Exfiltrati Exfiltration O C2 Channel|on ver|
|---|---|---|---|---|---|---|---|---|---|
||User Execution: Malicious Image (New)|||||||||
|External Remote Services|||Escape to Host (new): exploit capabilities|Masquerading|Brute Force: Password Spraying||Network Service Scanning|||
|||Implement Internal Image (name Change)||||||||
|||||Masquerading: Match Legitimate Name or Location||||||
|Valid Accounts|Deploy Container (New)||Escape to Host (new): kernel exploitable||Brute Force: Credential Stuffing||Network Service Scanning: scanning internal network|||
|||Scheduled Task/ Job||||||||
|Valid Accounts: Local Accounts||||Valid Accounts||||||
|||Scheduled Task/ Job: Container Orchestration Job (New)|Escape to Host (new): abuse host namespace||Unsecured Credentials||Network Service Scanning: scanning internal network|||
|||||Valid Accounts: Local Accounts||||||
|Poisoned Image (New)||||||||||
||||||Unsecured Credentials: Credentials in Files|||||
||||Escape to Host (new): abuse cgroups|Impair Defenses||||||
|||Valid Accounts||||||||
|||||Impair Defenses: Disable or Modify Tools - we see a lot of security deactivation and removal||||||
|||Valid Accounts: Local Accounts||||||||
||||Escape to Host (new): abuse container runtime (runc / docker socket)||Unsecured Credentials: Container API (New)|||||
|||Create Accounts - creating new accounts on host||||||||
||||||Unsecured Credentials: Cloud Instance Metadata API|||||
||||Escape to Host (new): host mount|||||||
|||||Impair Defenses: Impair Command History Logging - we see a lot of history clear and log deleting||||||
||||Scheduled Task/ Job|||||||
||||Scheduled Task/ Job: Container Orchestration Job (New)|||||||
|||||Rootkit||||||
||||Valid Accounts|||||||
||||Valid Accounts: Local Accounts|||||||
||||Deploy Privileged Container (New) - Running a container with elevated privileges|||||||


containers, so now our classification reflects this new framework.

**Initial** **Execution** **Persistence** **Privilege** **Defense** **Credential** **Command** **Discovery** **Data**
**Access** **Escalation** **Evasion** **Access** **& Control** **Exfiltration**

Exploit Container Host mount Escape to Host Build Image on Brute Force: Application Container Exfiltration Over
Public-Facing Service (New) (new) - Using (new) Host (New) Password Layer Protocol Resource C2 Channel
Application host mount for Guessing        - As an example Discovery (New)

User Execution: persistence we saw few

External Malicious Escape to Host Masquerading Brute Force: attacks using Network Service
Remote Image (New) Implement (new): exploit Password IRC channels Scanning
Services Internal Image capabilities Masquerading: Spraying using a malware

Valid Accounts Deploy Container (name Change)Scheduled Task/ Escape to Host (new): kernel Match Legitimate Name or Location Brute Force: Credential (Tsunami) Network Service Scanning:

Valid Accounts: (New) Job exploitable Valid Accounts Stuffing scanning internal network
Local Accounts

Scheduled Task/ Escape to Host Unsecured Network Service

Poisoned Image Job: Container (new): abuse Valid Accounts: Credentials Scanning:
(New) Orchestration host namespace Local Accounts scanning internal

Job (New) Unsecured network

Escape to Host Impair Defenses Credentials:

Valid Accounts (new): abuse Credentials in

cgroups Impair Defenses: Files

Valid Accounts: Disable or
Local Accounts Escape to Host Modify Tools Unsecured

(new): abuse Credentials:

                                                  - we see a lot

container Container API

Create Accounts runtime (runc / of security (New)

                           - creating new docker socket) deactivation and
accounts on host removal

Unsecured

Escape to Host Credentials:

Impair Defenses:

(new): host mount Cloud Instance

Impair Command

Metadata API

History Logging

Scheduled Task/

                                                   - we see a lot of

Job

history clear and
log deleting

Scheduled Task/
Job: Container Rootkit
Orchestration
Job (New)

Valid Accounts

Valid Accounts:
Local Accounts

Deploy
Privileged
Container
(New) - Running
a container
with elevated
privileges


-----

**Scanning tool used to scan vulnerable hosts**

Infected
Host

Scanning tool
(masscan)


-----

masscan. Below is an example of a script aimed at finding compromised ports:


-----

about the host and deploy a malicious container:


-----

###### Resource development

 Acquire infrastructure

We collected information about the attackers’ infrastructure by analyzing the inbound
and outbound traffic. For instance, the same IPs are used to disseminate and
communicate with Kinsing malware. The attackers acquired these IPs to enable this
attack. These are probably a subset of the botnet linked to the
Kinsing malware campaign.

Similarly, TeamTNT have been using the domains teamtnt[.]red, kaiserfranz[.]cc and
borg[.]wtf as CnC server, DNS and IRC server. They all resolve to the same IP address
45[.]9[.]148[.]108.

###### Compromise infrastructure

Previously, we reported that attackers had been using compromised websites to store
malicious files. These malicious files are downloaded during container runtime. We
continue to see this use of compromised websites to store malicious files such
as scripts.

###### Obtain capabilities

As written on MITRE’s site, adversaries might buy or steal capabilities that can be
used during targeting before compromising a victim. Rather than develop their
capabilities in-house, adversaries can purchase, freely download, or steal them. We
have seen attackers using open-source tools, and specifically offensive security tools,
to achieve their goals.

###### Initial Access

 Exploit public-facing application

These attacks mostly exploit a
misconfigured Docker API port exposed **[Blog](https://blog.aquasec.com/malicious-container-image-docker-container-host)**
to the internet and allow all incoming [Threat Alert: Attackers building](https://blog.aquasec.com/malicious-container-image-docker-container-hosthttp://)
traffic access. On top of the usual [malicious images directly on your host ›](https://blog.aquasec.com/malicious-container-image-docker-container-hosthttp://)
attacks against misconfigured APIs,
we’ve also seen building files on the host from base64.


ed **[Blog](https://blog.aquasec.com/malicious-container-image-docker-container-host)**

[Threat Alert: Attackers building](https://blog.aquasec.com/malicious-container-image-docker-container-hosthttp://)
[malicious images directly on your host ›](https://blog.aquasec.com/malicious-container-image-docker-container-hosthttp://)


-----

Screenshot was taken from the fake account of Tesnorflow. The account uses typo-squatting,
which relies on common mistakes (e.g., typos) by users when keying in a website address. So,
anyone who might misspell the container image name reaches the attacker’s account and is
duped into pulling malicious images


Screenshot was taken from the fake account of Tesnorflow. The account uses typo-squatting,
which relies on common mistakes (e.g., typos) by users when keying in a website address. So,
anyone who might misspell the container image name reaches the attacker’s account and is
duped into pulling malicious images


**[Blog](https://blog.aquasec.com/malicious-container-image-docker-container-host)**
[Threat Alert: Massive crypto mining](https://blog.aquasec.com/malicious-container-image-docker-container-host)
[campaign abusing GitHub, Docker Hub,](https://blog.aquasec.com/container-security-alert-campaign-abusing-github-dockerhub-travis-ci-circle-ci)
[Travis CI & Circle CI ›](https://blog.aquasec.com/container-security-alert-campaign-abusing-github-dockerhub-travis-ci-circle-ci)


-----

job on the host to schedule a malicious command execution.


-----

adversaries can open a backdoor that allows them to fully control the host.


-----

-----

malicious file.


-----

**Fileless Execution**
```
       memfd()
                vfs _ write() execve()
       syscall

```
Creates a file descriptor that The decrypted binary Binary payload is executed
points into a block of memory payload is written into the file from memory
descriptor


s **Report**

You can read more about our classifications
[in our 2020 Cloud Native Threat Report](https://info.aquasec.com/cloud-native-threats) **›**


-----

-----

-----

-----

o down
but unf


-----

-----

and achieving additional access to the victims’ environments and networks

###### 0.7%

**Attack distribution** **3.1%**
**by objective** **1.1%**

###### 0.7%

**(N=17,521)**

###### 2.2%

Crypto Mining

Worm

Backdoor

Malware

Reconnaissance


are emerging.

**Image distribution by** **5%** **9%**
**attack objective**

**(N=34)** **9%**

###### 41%

Crypto Mining

Worm

###### 36% Backdoor
Malware


###### 5% 9%

 9%
 41%

 36%

Now see that adversaries are also using worms to reach further victims. A little over


-----

## Conclusions

Our analysis of attacks on the Team Nautilus honeypots results in several key
observations and trends

The mean number of instances misconfigured by customers is increasing. Research
[by Team Nautilus covered trends in exploitable hosts and what attackers are looking](https://www.sciencedirect.com/science/article/pii/S1353485820301161)

### 1

for. It indicates that attackers are not just looking for port 2375 (unencrypted Docker
API) and other ports related to cloud native services. In addition to this research,
[we have also seen new initial accesses and new attack variants that also threaten](https://blog.aquasec.com/container-attacks-on-redis-servers)
[Kubernetes clusters.](https://blog.aquasec.com/kubernetes-vulnerability-security-threat)

Adversaries are using more sophisticated techniques to increase the chances of a
successful attack with a bigger impact. Attackers are:
### 2

###### • [Extending their arsenal with new and advanced techniques ]
 • [Hiding their attacks more effectively using advanced techniques, such as ]
executing malware straight from memory, packing the payload, or
using rootkits

###### • [Conducting privilege escalation and escaping from the container to the host]
 • [Increasing their persistence on the compromised hosts by using rootkits]
 • [Increasing use of offensive security tools as part of the attack kill chain ]
 • [Hiding a more sinister impact. While much focus has been given to ]
cryptocurrency mining attacks, which might be perceived as more of a
nuisance than a severe threat, these attacks can mask more sinister objectives.
In some of the attacks we observed, adversaries tried to leave backdoors
on the host by dropping dedicated malware, or by creating new users with
root privileges and SSH keys for remote access. We’ve also seen adversaries
attempt to collect credentials and sensitive data. Once collected, the attackers
could then use exfiltration techniques to steal sensitive data. Such activities
pose serious threats to organizations


-----

Attacking through supply chain. A massive campaign was mounted to target the

### 3 auto-build process of code repositories, registries, and CI service providers may

reveal troubling future threats. Targeting the build process during CI/CD flow is a soft
belly since there are few detection, prevention, and security tools. We have also seen
attacks through Docker Hub and GitHub, using typo-squatting to trick developers
into downloading malicious container images or code packages

### 4   Botnets are swiftly finding and infecting new hosts as they become vulnerable.• [Attackers are using dedicated botnets that scan the internet, looking to detect ]

cloud misconfigurations and disseminate malicious payload, usually by running
a malicious container image

###### • [Once a host is infected, a worm is executed on newly infected host, boosting ]
the dissemination of the malicious payload to other hosts

###### • [They continually scan the net, seeking misconfigured Docker daemons, ]
Docker Swarm daemons, Kubernetes clusters and cloud backup ports. Internal
research revealed that some botnets could detect and attack a misconfigured
Docker daemon five hours on average after the port becomes visible. They are
using powerful tools, such as masscan, that allow them to more quickly scan
bigger ranges

The volume of attacks against container environments is increasing, demonstrating
that organized and well-funded teams are behind them

### 5

Attackers are adapting their techniques much faster, updating them more
frequently, and creating a more rapid cat-and-mouse game

### 6


-----

###### List of reports

**Attack name** **Attack description** **Impact** **Duration** **Volume** **Images used** **Perpetrator**

The attacker opened shell from
**Alpine - Open shell** Backdoor 2 weeks 117 attacks alpine:latest Unknown
remote

The attacker opened shell
**ubuntu:18.04 bin-bash** Backdoor 2 months 123 attacks ubuntu:18.04 Unknown
from remote

The attacker ran a code in cmd

Backdoor,

that downloaded the malicious 15,913 Kinsing

**Alpine d.sh** Crypto, Malware, 6 months alpine:latest

script d.sh, it later downloaded attacks attackers

Worm

kinsing malware

kirito666/

The attacker pulled a malicious Backdoor,

**TeamTNT blackT** blacktv2:latest

container image from a public Crypto, Malware, 1 month 124 attacks TeamTNT

**campaign** and kirito666/

registry in Docker Hub Worm

blackt:latest

The attacker ran a remote code Backdoor,
**TeamTNT encoded** with a malicious binary encoded Crypto, Malware, 1 week 5 attacks alpine:latest TeamTNT
in base64 in the cmd Worm

**TeamTNT kaiserfranz** The attacker downloaded in the Backdoor, 2 weeks 7 attacks alpine:latest TeamTNT
**campaign** cmd a malicious file Crypto, Malware,
Worm

**TeamTNT meow** The attacker downloaded in the Backdoor, 2 weeks 18 attacks alpine:latest TeamTNT
cmd a malicious file Crypto, Malware,
Worm


-----

**Attack name** **Attack description** **Impact** **Duration** **Volume** **Images used** **Perpetrator**

**TeamTNT small** The attacker pulled a malicious Backdoor, 10 days 10 attacks zyx1475/small:latest TeamTNT
**campaign** container image from a public Crypto,
registry in Docker Hub Malware,

Worm

**TeamTNT speedrun** The attacker pulled a malicious Backdoor, 2 weeks 22 attacks lifengyi1323/ TeamTNT
**campaign** container image from a public Crypto, speedrun:latest
registry in Docker Hub Malware,

Worm

**The xms attack** The attacker downloaded in the Backdoor, 2 weeks 10 attacks alpine:latest Unknown
cmd a malicious file Crypto,
Malware,
Worm

**TeamTNT mo.jpg** The attacker downloaded in the Backdoor, 1 week 2 attacks alpine:latest and TeamTNT
cmd a malicious file Crypto, ubuntu:latest

Malware,
Worm

**ubuntu 1sh** The attacker downloaded in the Backdoor, 1 day 1 attack ubuntu:latest Unknown
cmd a malicious file Malware

**XMR downloaded** The attacker downloaded in Crypto 3 months 180 attacks alpine:latest and Unknown
**from C2** the cmd xmr and executes ubuntu:latest

the binary

The attacker downloaded in the
**alpine autom** Crypto 34 attacks alpine:latest Unknown
cmd a malicious file

The attacker builds the container
**Build on host** Crypto 1 week 3 attacks Unknown
image on the host and runs it

The attacker pulled a malicious
**felilca** container image from a public Crypto 1 month 173 attacks felilca/ubuntu:latest Unknown
registry in Docker Hub

The attacker pulled a malicious
greekgoods/
**greekgoods-kimura** container image from a public Crypto 2 weeks 4 attacks Unknown
kimura:1.0
registry in Docker Hub

The attacker downloaded in the
**alpine pop** Crypto 2 days 2 attacks alpine:latest Unknown
cmd a malicious file

The attacker pulled a malicious
**ubuntuz-jessy** container image from a public Crypto 1 day 1 attack ubuntuz/jessy:latest Unknown
registry in Docker Hub

The attacker pulled a malicious
**yrubertzh/aws** container image from a public Crypto 1 day 2 attacks yrubertzh/aws:latest Unknown
registry in Docker Hub

The attacker downloaded in the Crypto, byrnedo/alpine-
**ngrok byrnedo** 6 months 600 attacks Unknown
cmd a malicious file Worm curl:0.1.8t

The attacker downloaded in the Crypto,
**xanthe malware** 1 day 1 attack alpine:latest Unknown
cmd a malicious file Worm


-----

framework, each category is mapped to one or more MITRE categories.

**Aqua’s mapping** **Description** **MITRE mapping**

**Initial Execution** Consists of techniques that use various entry Initial access, Execution
vectors to gain their initial foothold
Example: Crypto Mining binaries found in the image

**Weaponization** Includes unusual techniques to gain more control Persistence, Privilege
Example: Privilege escalation and escalation, Defense evasion,
credential access Credential access

**Propagation** Discovering local or remote resources to exploit Discovery, Lateral movement
them or perform lateral movement
Example: Executing “Shodan search” on internet-
connected devices in runtime

**Communication** Suspicious network activity Command and Control
Example: Accessing an unreachable IP address
might indicate communication with a C&C

**Collection & Exfiltration** [Collecting resources and reaching an end-game ] Collection, Exfiltration,
objective Impact
Example: Resource hijacking to validate
transactions of cryptocurrency networks and earn
virtual currency


**or**


-----

Aqua Security is the largest pure-play cloud native security company,
providing customers the freedom to innovate and run their businesses with
minimal friction. The Aqua Cloud Native Security Platform provides prevention,
detection, and response automation across the entire application lifecycle to
secure the build, secure cloud infrastructure and secure running workloads
wherever they are deployed.

Aqua’s Team Nautilus focuses on cybersecurity research of the cloud native
stack. Its mission is to uncover new vulnerabilities, threats and attacks that
target containers, Kubernetes, serverless, and public cloud infrastructure —
enabling new methods and tools to address them.


-----