2022 Cloud-Native Threats

The inaugural 2022 Sysdig Cloud-Native Threat Report exposes some of the year’s most pervasive and costly cloud threats. As organization’s use of containers and cloud services continues to grow, attackers are turning their attention to the cloud.

Just one threat actor can make substantial gains by simply taking advantage of misconfigurations and old exploits. They can earn thousands of dollars, almost passively off of their victims’ cloud infrastructure.

Containers allow developers to get infrastructure up and running fast, but if malicious code is hidden inside by an attacker, the entire infrastructure can be compromised.

However, not all threat actors are about profiteering. The conflict between Russia and Ukraine shows a cyberwarfare component with government-supported threat actors and civilian hacktivists taking sides.

The true costs of cryptomining

Cryptomining is increasingly popular among profit-motivated threat actors. With a much lower overhead than ransomware, the miner only needs to run on a computing resource, then they can start cashing in.

Looking at TeamTNT, a notorious cloud-targeting threat actor, made at least $8,100 in directly attributed cryptowallets, which cost victims more than $430,000. While $8,100 isn’t massive, it’s passive income for the criminal and a monstrous bill for someone else.

Sysdig

Supply chain attacks from Docker Hub

The 2022 Sysdig Cloud-Native Security and Usage Report also shows that 61% of all images pulled come from public repositories. Attackers are aware this is how code is assembled today, so they’ve turned public repositories into an attack vector.

To investigate, the Sysdig Threat Research Team (Sysdig TRT) built a custom system to scan Docker Hub and identify malicious container images using both static and runtime analysis.

The team scanned more than 250,000 images, and the results showed that threat actors are actively using Docker Hub to spread malware. This mostly comes in the form of cryptojackers, however, malicious websites, hacking tools, and other unwanted software was also found in the images.

Sysdig

To protect customers, the Sysdig TRT maintains a continually updated feed of known bad container images, using their SHA-256 hashes.

Geopolitical hacktivism

When the Russia-Ukraine conflict started, a cyberwar also began between the two countries.

This is the first time cyberwarfare operations have been used in military operations in such a public way. Over 150,000 volunteers joined the Ukrainian side of this cyberconflict as hacktivists. 

Distributed denial of service (DDoS) and destructive attacks using hard drive wipers were the hallmark of the cyberwar, at least on the public facing side. Hacktivists from both sides have largely participated by joining the DDoS attacks. Almost immediately after the invasion started, The Sysdig global honeynet began to see a sharp rise in the amount of DDoS malware being installed. Before this, most of the malware was related to cryptojacking.

Sysdig

Conclusion

Attackers are starting to understand the value of cloud resources, whether for cryptomining, data theft, or as attack platforms. This trend will continue as more companies move from on-premise to cloud. While the geopolitical situation is beyond the scope of the report, these events will continue to involve cyber more and more as countries start to depend on the resources that have moved to cyberspace.

Security and DevOps teams need to watch for these threats as they work to secure their cloud infrastructures. Visibility into cloud and container environments is critical as threats start to make use of these resources.

Want to get the full scoop? Download the 2022 Sysdig Cloud-Native Threat Report today!