Security landscape: three of the biggest cloud native threats 

As the intricacies of cloud native environments evolve, the tactics used are changing rapidly. Security professionals must keep abreast of these changes, argues Assaf Morag at Aqua Security’s Team Nautilus

 

The risk of cloud native threats is very real and demands constant vigilance. At Aqua Nautilus, we are dedicated to uncovering the latest malicious actors and raising awareness of them. This year alone we’ve identified more than 10 unique cyber threats, and outlined the ways organisations can protect against them. 

 

With all this research, we’ve gained some vital insights that we’ve used to create a threat landscape, which allows security teams to better defend against bad actors. Below I will outline the top threats security professionals and developers should be aware of. Cloud native threats contain a lot of components and can vary enormously.

 

I have selected three that demonstrate that variation: Headcrab is a runtime threat, PyTorch is a threat to the supply chain, and TeamTNT attacks all areas of the cloud native environment. In addition, I will outline some other key takeaways from our research.

 

HeadCrab: elusive threat to runtime

Researchers from Aqua Nautilus have unearthed a new, enigmatic, and formidable menace that has clandestinely infiltrated and established a presence on servers worldwide, with its activities dating back as far as September 2021. Self-identifying as "HeadCrab," this advanced threat actor has harnessed a state-of-the-art, tailor-made malware that eludes detection by both agentless and conventional antivirus solutions, enabling it to compromise a substantial number of Redis servers. The HeadCrab botnet has successfully commandeered a minimum of 1,200 servers.

 

HeadCrab remains relentless, employing cutting-edge methodologies to breach servers, be it through exploiting misconfigurations. If your server falls victim to this intrusion, it is imperative to presume that your network has also suffered a breach and take immediate action to initiate your incident response protocol. This proactive measure will facilitate the detection of the breach’s scope, the isolation of infected systems, and the restoration of compromised environments. 

 

HeadCrab is the perfect example of a runtime threat. It exploits a vulnerability to get in, exploits the running process of Rredis, exploits the running process of redis to modify it to its needs and using all the available applications, and once this is done it executes payloads in memory. It is a very stealthy attack, which serves as a vital reminder that unknown threats and zero-days are here to stay – and even if you do everything right you can’t always protect your runtime environments. Monitoring runtime environments is therefore crucial in order to mitigate issues quickly and minimise disruptions. 

 

PyTorch: threat to supply chain

Recently, an incident unfolded wherein a component of the widely utilised PyTorch-nightly Python package became the target of a dependency confusion attack. This nefarious event led to the unwitting downloading of a malevolent binary by thousands of users, which subsequently exfiltrated data via DNS. The PyTorch team promptly issued a warning, revealing that the PyTorch-nightly dependency chain had been compromised during the period spanning from December 25th to December 30th, 2022.

 

In a PyPI dependency confusion attack, a scenario arises when two packages sharing the same name exist in both a private repository and the public PyPI repository. Python, in such instances, will instinctively retrieve the package bearing the higher version number. Exploiting this situation, bad actors can manipulate it by uploading a malicious package under the same name with a superior version, thereby launching a supply chain attack.

 

TeamTNT: attacking all areas

The botnet operated by TeamTNT has expanded its operations to encompass various targets, including Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and Nginx servers, Weave Scope, SSH, and Jupyter applications. In the course of our investigation, Aqua Nautilus successfully breached TeamTNT’s Command and Control (C2) server, a manoeuvre that granted us access to invaluable intelligence concerning the victims, the specific environments under attack, the array of tools and resources at the attacker’s disposal, as well as the tactics employed throughout this campaign.

 

Our research has unveiled that this botnet maintains an incessant sweep of the entire internet, subjecting each IP address to scanning at least once every hour. We’ve observed that the infection rate is notably swift, with a minimum of two new victims emerging on an hourly basis.

 

Increased focus on avoiding detection

In a span of just one year, research conducted by Team Nautilus has identified a staggering 1,400% increase in fileless or memory-based attacks. These insidious attacks leverage pre-existing software, applications, and protocols to carry out malicious activities. In fact, threat actors employ a myriad of tactics to cloak their campaigns.

 

An analysis of aggregated honeypot data, collected over a duration of six months, revealed that over 50% of these attacks were primarily focused on evading detection and defence mechanisms. These evasion techniques encompassed methods such as masquerading, where files were executed from the /tmp directory, and the utilization of hidden files or information, including the dynamic loading of code.

 

Runtime security is critical

These threats illustrate the critical importance of runtime security. Runtime security is a critical last line of defence: the most persuasive evidence for the threat actors’ increasing and successful efforts to evade agentless solutions was the emergence of HeadCrab.

 

Securing runtime environments necessitates a monitoring strategy that encompasses more than just the identification and blocking of known malicious files and network communications, along with alerting upon their detection. While this approach is certainly crucial, it falls short of comprehensive security.

 

A more effective solution involves vigilant monitoring for indicators or signs indicative of malicious behaviour. These indicators may include unauthorized efforts to access sensitive data, attempts to obscure processes while gaining elevated privileges, and the establishment of backdoors leading to unfamiliar IP addresses.

 

The implementation of robust protective measures within runtime environments is of paramount importance. These measures serve to safeguard both data and applications, ensuring their security and fortifying defences against potential threats.

 

Interdependent nature of software supply chain

Aqua Security’s software supply chain team’s data reveals a staggering year-over-year increase of over 300% in software supply chain attacks. This surge is not surprising when we consider the intricate nature of cloud-based software systems, characterised by their extensive interdependencies and multiple layers of interconnected components. It is precisely these layers that present significant security challenges, yet it is this interdependency that renders software supply chain attacks enticing to malicious actors.

 

These attacks serve as a gateway to access sensitive data and a launching pad for large-scale cyber-attacks. Furthermore, they offer the capability to move laterally within the cloud, accessing other services and private cloud infrastructure, compounding their appeal to threat actors.

 

These are a few of the key takeaways from our latest research. Check out the full report for more details. And always be aware of the lurking threats that risk compromising your cloud native environment.

 

---

 

Assaf Morag is Lead Threat Intelligence Researcher at Aqua Security’s Team Nautilus.

 

Main image courtesy of iStockPhoto.com