Aqua Security Report Reveals Container Attack Blast Radius

An analysis of 105 victims of malicious container images published today by Aqua Security today finds just over a third (36%) of hosts had multiple severe vulnerabilities and misconfigurations that could be employed to expand the blast radius of a cyberattack made against the containers they deployed. A total of 70% of the hosts also exhibited a mild potential for credential theft and lateral movement that could occur if cybercriminals escalate their privileges once they gain access.

On the plus side, the report also finds that a few weeks after the initial scan, 50% of the hosts with vulnerabilities had remediated all vulnerabilities and misconfigurations, while another 12% had fixed some but not all of them. A quarter (25%) had done nothing at all, according to the report.

Asaf Morag, lead data analyst for Aqua Security, a provider of a container security platform, says the report suggests that while more organizations are now being proactive about container security there are still many organizations that have yet to address the issue. In general, there’s a tendency among many developers and IT teams to assume containers are secure because they are ripped and replaced so often. However, cybercriminals are now regularly stealing credentials so they can deploy containers on systems that they use to surreptitiously mine for cryptocurrencies, also known as cryptojacking.

While some IT teams dismiss cryptojacking as a nuisance crime, Morag says IT teams should assume that cybercriminals are also creating backdoors through which they can gain access to those systems at some future point. In addition, they may also leave behind malware that can be activated sometime later, notes Morag.

In all 105 cases, cybercriminals took advantage of a misconfigured Docker application programming interface (API) to run a malicious container image. Most infected hosts were using port 2375 for their Docker API, but Aqua Security research also detected the Docker API on ports including 8087, 5000, 4243, 2222, 5432, 8000, 8001, 2345, 3000, 8090. That suggests that efforts to hide where the Docker API is accessed are not especially successful.

Once a malicious container is installed, there are several techniques threat actors can use to escape a container to gain access to a host. These include employing a privileged container to run commands on the host or creating a container configured to mount the host’s filesystem using the bind parameter to drop payloads or execute commands. They can also open SSH keys, open ports and collect metadata.

Morag said in addition to reducing the attack surface by eliminating some public-facing services, IT teams would be well advised to adopt cloud security posture management (CSPM) platforms to discover misconfigured services. That’s especially critical as responsibility for provisioning IT infrastructure continues to shift further left toward developers that often have limited cybersecurity expertise, he added.

Regardless of how containers are secured, the one thing that should be apparent by now is the cybercriminals are better equipped to exploit them for a wide range of illicit purposes.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1605 posts and counting. See all posts by Mike Vizard