cybercriminals finding cloud
Image: Song_about_summer/Adobe Stock

As more organizations shift to the cloud to manage their operations and assets, so too have cybercriminals been shifting their focus to cloud environments. To up their game, attackers are adopting more advanced and sophisticated methods to target sensitive and vulnerable cloud native environments. A report released Wednesday by security firm Aqua Security looks at the attack vectors targeting Kubernetes as well as the supply chain and offers advice on protecting your cloud environments.

SEE: Eight enterprise password managers and the companies that will love them (TechRepublic)

For its report “Tracking Software Supply Chain and Kubernetes Attacks,” researchers at Aqua’s Team Nautilus set up honeypots to attract attackers and trick them into creating malicious files, cryptominer activity, code injection and other malicious content. Such honeypots are controlled by security researchers expressly to observe malicious behavior and gather intel on adversaries.

Aqua found that cybercriminals are using new tactics, techniques and procedures to target cloud-based environments. Cryptominers were the most common type of malware discovered, but attackers are also increasingly turning to backdoors, rootkits and credential stealers.

Backdoors, which allow attackers to gain remote access to a compromised system, were seen in 54% of the attacks in 2021, up by 9% from 2020. The use of worms that replicate and spread throughout a system accounted for 51% of all the attacks last year, a gain of 10% from 2020.

Criminals have also shifted their focus from Docker to Kubernetes. Attacks against vulnerable Kubernetes deployments and applications increased to 19% in 2021, up from 9% in 2020. Kubernetes environments are a tempting target, as once an attacker gains initial access, they can easily move laterally to expand their presence.

Attacks that affect an entire supply chain have increased over the past few years, and that has been felt across the software supply chain as well. In 2021, attackers aiming at software suppliers as well as  their customers and partners employed a variety of tactics, including exploiting open source vulnerabilities, infecting popular open source packages, compromising CI/CD tools and code integrity, and manipulating the build process. Last year, supply-chain attacks accounted for 14.3% of the samples seen from public image libraries.

“These findings underscore the reality that cloud native environments now represent a target for attackers, and that the techniques are always evolving,” said Assaf Morag, threat intelligence and data analyst lead for Aqua’s Team Nautilus. “The broad attack surface of a Kubernetes cluster is attractive for threat actors, and then once they are in, they are looking for low-hanging fruit.”

To help organizations more effectively protect their cloud-native environments, Aqua offers a few recommendations:

Implement runtime security. Runtime protection is a key factor for any cloud-based security strategy. This is especially important to defend against supply-chain attacks that can introduce vulnerabilities that may only be exploited during runtime.

Layer your Kubernetes security. As attackers exploit Kubernetes UI tools and target specific Kubernetes elements such as kubelets and API servers, you need to secure your Kubernetes environments at the container and orchestrator level. Such a layered strategy is key to combating any attack launched against a Kubernetes ecosystem.

Activate scanning during development. Vulnerabilities such as Log4j are evidence that security scanning must be performed during the development cycle. As such, you need  tools that offer visibility into your entire cloud native stack.

“The key takeaway from this report is that attackers are highly active — more than ever before — and more frequently targeting vulnerabilities in applications, open source and cloud technology,” said Morag. “Security practitioners, developers and devops teams must seek out security solutions that are purpose-built for cloud native. Implementing proactive and preventative security measures will allow for stronger security and ultimately protect environments.”

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays