Aqua Security on Monday reported that data it collected from honeypots protecting containers over a six-month period revealed that 50% of misconfigured Docker APIs are attacked by botnets within 56 minutes of being set up.
According to the research, it takes five hours on average for the adversaries’ bots to scan a new honeypot. The fastest scan occurred after a few minutes, while the longest gap was 24 hours.
Assaf Morag, lead data analyst with Aqua’s Team Nautilus, said this discovery underscores the significance of detecting and fixing cloud misconfigurations promptly or preventing them from occurring before app deployment. Morag said security pros need to understand that the slightest misconfiguration might expose their containers and Kubernetes clusters to a cyberattack.
“The threat landscape has morphed as malicious adversaries extend their arsenals with new and advanced techniques to avoid detection,” said Morag. “Although cryptocurrency mining is still the lowest hanging fruit and thus more targeted, we have seen more attacks that involve delivery of malware, establishing of backdoors, and data and credentials theft. Focusing on misconfigurations is important, but companies also need a more holistic approach that includes a focus on supply chain attacks.”
The results of this report were contributed as input into the development of the MITRE ATT&CK Container Framework. In fact, Adam Pennington, MITRE ATT&CK director, said container security has been on MITRE’s radar for a while now, but it was only fairly recently that the company started seeing enough reported activity to start mapping this area and add it to ATT&CK.
“We’ve gone from occasional anecdotes about security incidents to a number of organizations regularly detecting and talking about intrusions,” Pennington said.
Michael Cade, senior global technologist for Kasten by Veeam, said cloud misconfigurations have become a real concern for container users.
“Misconfigurations are one of the ways that containers are uniquely exposed, basically as a default to ease development burdens. They are a likely point of ingress for container attacks, so it's extremely important to have an effective remediation plan in place,” Cade said.