Lacework Labs Finds Backdoors in Container Images

Cloud security platform provider Lacework this week published a report that reveals cybercriminals are now creating backdoors in legitimate container images. Lacework Labs reports it has discovered that a threat actor, dubbed TeamTNT, has been creating backdoors in Docker images that went undetected by the IT teams that deployed those images.

Mark Nunnikhoven, resident cloud strategist for Lacework, says it’s now more critical than ever for IT teams to ensure Docker sockets are not publicly exposed and that appropriate firewall rules/security groups and other network controls are in place to prevent unauthorized access to network services.

The Lacework Labs report also notes that another cybercriminal gang, known as 8220 Gag Botnet, has been deploying an internet relay chat (IRC) bot that could be used to gain remote control of a container platform through which additional attacks could be launched.

In addition, Lacework Labs is reporting that demand for stolen administrative account credentials that provide access to cloud service platforms is increasing on underground marketplaces. That increased level of activity should be viewed as a warning sign that encourages IT teams to conduct an audit of who has access to cloud services using what might appear to be a valid credential, says Nunnikhoven.

As the volume of containerized applications being deployed in production environments continues to increase, it’s apparent cybercriminals have noticed. The attacks aimed at containers are starting to move beyond comparatively simple efforts to surreptitiously steal CPU resources to mine for cryptocurrencies, otherwise known as cryptojacking.

It’s not clear to what degree security operations teams are proactively looking for vulnerabilities in containers just yet. The bulk of the applications running in most IT environments were built using legacy technologies. The tools employed to secure those application environments, however, are not always applicable to the next generation of cloud-native applications based on containers.

Hopefully, as DevSecOps processes continue to mature the amount of malware encapsulated in containers will decline. However, given the rate at which containers are ripped and replaced, IT organizations will need to find a way to continuously scan them for vulnerabilities that might not have been known when the software deployed in those containers was originally developed.

In addition, there’s a tendency among developers to download containers from registries without scanning them for malware. There are more certified containers showing up on various registries, but the bulk of the containers made available via public registries should be viewed with suspicion.

In the wake of a recent spate of high-profile software supply chain breaches, many organizations are now starting to dive deeper into how the software they rely on is actually built and deployed. Regardless of how organizations approach that issue, it’s clear the arrival of cloud-native applications will force organizations to, at the very least, reevaluate their current security processes as they seek to bridge the current divide between developers and security teams. The challenge, of course, is finding a way to make applications more secure without unduly slowing down the rate at which those applications are being built and deployed.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1188 posts and counting. See all posts by Mike Vizard