Aqua Blog

Aqua’s Top Five Threat Alerts for 2020

Aqua’s Top Five Threat Alerts for 2020

It has certainly been a rough year and just as life constantly evolves, so do cyber threats. So, here are a few blogs by our cyber security research group, Team Nautilus, that got the most attention from cloud native security professionals. These blogs highlight how attackers continue to get more creative over time, as we cover container image exploitation, fileless malware, Kinsing malware, sophisticated evasion techniques, and much more.

The emerging trend is clear: we’re seeing more attacks targeting the cloud native supply chain and infrastructure – highlighting the importance of adding Dynamic Threat Analysis and CSPM to your security arsenal – as these attacks are becoming increasingly sophisticated and organized. We expect that to intensify in 2021, so watch this space and subscribe to our blog (using the box on the right).

Without further ado, here are Aqua’s top five threat alerts:

Attacker Building Malicious Images Directly on Your Host

We discovered a new type of attack against container infrastructure. It exploits a misconfigured Docker API port to build and run a malicious container image on the host. This was the first time we observed this attack in the wild.

Malicious Container Images on Host

Deep Analysis of TeamTNT Techniques Using Container Images to Attack

TeamTNT used a crypto-mining worm to steal AWS credentials from Docker Hub. Our investigation determined that dynamic analysis could have saved security teams a lot of time and aggravation if these threats were detected and images removed from Docker Hub before being deployed.

TeamTNT

Kinsing Malware Attacks Targeting Container Environments

We’ve seen a rise in the number of attacks that target container environments. One such attack targets misconfigured open Docker Daemon API ports. This persistent campaign went on for months, with attacks directed by actors with more than enough resources and infrastructure to carry out and sustain them.

Kinsing Malware Attack

Market-First Container Image Built to Attack Kubernetes Clusters

We uncovered a container image that, for the first time, allows bad actors to find and exploit vulnerabilities in Kubernetes clusters. Attackers propagate this malware through a Docker Hub lookalike account intended to dupe developers into downloading malicious images.

Threat Alert Kubernetes Clusters

Fileless Malware Executing in Containers

Our cyber research team detected a new type of attack that executes and runs malware straight from memory in containers to evade common defenses and static scanning. This malware uses a rootkit to hide its running processes, then hijacks resources by executing a crypto miner from memory. This exposes a backdoor for attackers to do more damage.

Fileless Malware Attack

You can find these, and all the other threat analysis on the Team Nautilus research page.

Happy New Year

As we head into the new year, you can expect to see more helpful information coming from us. We’ll be covering not only threat alerts, but all things related to cloud native security.

Gregg Ogden
Gregg Ogden is a Senior Product Marketing Manager at Aqua. He is a seasoned marketing professional with established success in multiple business-to-business roles. He has worked for a variety of technology companies spanning end-point data security to multi-computer technologies over his 20+ year career. Gregg is always looking for new ways to highlight the obvious and not-so obvious worth of the products and services he represents. In his spare time, Gregg is an avid downhill skier in winter and an experienced motorcyclist in summer.