In past years, misconfigured Docker APIs were a favorite target of threat actors. Now it is shifting from Docker to Kubernetes. The attack surface of a Kubernetes cluster is broad. Once an attacker gains initial access, there are more possibilities for lateral movement and persistence, compared with a single container.
While cryptominers were the most common malware that we observed, they weren’t the only thing we found. With increasing frequency, we discovered backdoors, rootkits, and credential stealers—signs that intruders have more than cryptomining in their plans.
Much like how a misconfigured Docker API creates an entry point for attackers, so too does a misconfiguration that exposes a Kubernetes UI tool. Attackers simply adapted the techniques that were so successful at discovering vulnerable Docker instances.
Tracking Supply Chain and Kubernetes attacks and techniques
Developing defenses against cyberthreats targeting cloud native environments requires staying up to date with attack vectors and the Tactics, Techniques, and Procedures (TTPs) attackers use. Aqua Security’s Team Nautilus focuses on uncovering new threats and attacks that target the cloud native stack. By researching emerging cloud threats, we aspire to create methods and tools that enable organizations to stop cloud native attacks.
This report presents observations and discoveries based on actual attacks in the wild. It is intended to highlight the newest trends and takeaways for practitioners in the cloud native threat landscape.
Download the report to learn more.
Research by Team Nautilus