To investigate attacks in the wild, researchers utilised honeypots that lu attackers and trick them into their activities in an environment thats controlled and monitored by researchers. This approach allows them to collect indicators of compromise, including malicious files, malicious network communication, indications of container escape, malware, cryptominer activity, code injection and backdoors.
To investigate supply-chain attacks against cloud native applications, the team examined images from public registries and repositories, such as NPM and Python Package Index. Observations were augmented with data from Shodan, the search engine for internet- connected devices.
An increase in sophistication. Attacks are becoming even more sophisticated, with threat actors’ tactics, techniques, and procedures advancing rapidly. In 2021, backdoors were encountered in 54% of attacks, an increase of nine percentage points compared with in 2020. The usage of attacks of worms rose by 10 percentage points to 51% of, compared with 41% the previous year. The team also observed a more sophisticated activity involving rootkits, fileless execution, and loading kernel modules.
A shift to Kubernetes. Adversaries shifted their attention from Docker to Kubernetes and the CI/CD pipeline. Threat actors broadened their targets to include CI/CD environments and vulnerable Kubernetes deployments and applications. The proportion and variety of observed attacks targeting Kubernetes increased. Based on the observed attacks, the number of malicious images with potential to target Kubernetes environments increased by 10 percentage points, from 9% in 2020 to a full 19% in 2021.
Supply chain continues to be effective. Supply-chain attacks represent 14.3% of the sample of images from public image libraries (NB: This sample is not a statistically significant sample size of all public image libraries). An analysis of over 1,100 container images uploaded to one of the world’s largest image communities and libraries in the past year revealed that 13% were related to potentially unwanted applications, such as cryptominers, and 1.3% were related to malware.
Log4j zero-day vulnerability immediately exploited in the wild. The popular logging library is estimated to be present in over 100 million instances globally. Once the honeypot was set up, some of the largest botnets – including Muhstik and Mirai – began targeting it within minutes. Researchers detected multiple malicious techniques, including known malware, fileless execution, files that were downloaded and executed from memory, and reverse shell executions.
TeamTNT doesn’t retire. The most prolific threat actor targeting cloud native environments, TeamTNT, announced its retirement in December 2021 but was still actively attacking honeypots a month later. However, new tactics were in use making it unclear if the ongoing attacks originated from automated attack infrastructure that was left operating or if TeamTNT faked their retirement. It appears as if some of the command-and-control servers, a third-party registry, and a worm are still operational and infecting new targets.