Sysdig Report Reveals True Cost of Container Security Breaches

A Sysdig report published today finds that for every dollar cybercriminals generate through a cryptomining attack against a cloud container environment, victims end up paying a $53 bill.

As a result, an attack that generates $8,100 for cybercriminals would potentially result in a $430,000 cloud bill for the organization that provisioned those cloud resources, according to the Sysdig report.

Cryptomining is the most common form of attack against container-based environments running in the cloud. Cybercriminals are littering public repositories, such as Docker Hub, with container images that contain cryptominers, backdoors and other forms of malware, with more than a third of the malicious images found on DockerHub containing cryptominers, the report finds.

Embedded secrets are the second most-prevalent type of malware found on these repositories, which results in persistent secrets management challenges, the report also notes.

Finally, the report also finds there has been a significant increase in distributed denial-of-service (DDoS) attacks that employ containers since the start of the war in Ukraine. Over 150,000 volunteers have joined anti-Russian DDoS campaigns using container images from Docker Hub, the report finds.

Michael Clark, director of threat research for Sysdig, says many of those DDoS attacks use containers to make it simpler for anyone to participate using infrastructure they already have access to or infrastructure platforms they commandeer.

The threat actors hit anyone they perceive as sympathizing with their opponent and any unsecured infrastructure is targeted for leverage in scaling the attacks.

There’s clearly still work to be done when it comes to container security. Far too many developers still assume that because a container only runs for a few seconds a cybercriminal will not have the time to discover and exploit it. Cybercriminals, however, are now continuously scanning for container vulnerabilities within software supply chains. One of the primary security issues with containers is they make it trivial for developers to reuse container images that have encapsulated multiple vulnerabilities without realizing it.

Right now, the primary threat vector is cryptomining attacks; many IT professionals still consider those to be the digital equivalent of a nuisance crime. Cloud service providers will, in some instances, initially absorb the cost of cryptomining attacks, but Clark notes it’s only a matter of time before organizations that are routinely compromised are presented with a bill. Earlier this year, Sysdig published a separate report that found 85% of the container images running in production environments contain at least one vulnerability. Three-quarters of those vulnerabilities (75%) were rated as “high” or “critical.”

Similarly, providers of cybersecurity insurance will eventually deny claims from organizations that they determine have not done enough to secure their cloud environments, he adds. Real money is being stolen and cloud service providers and cyberinsurance providers are not going to absorb those costs forever, notes Clark.

Of course, a cryptomining attack is only the proverbial tip of the iceberg when it comes to container security. Once cybercriminals compromise a container environment, it’s only a matter of time before the back door they created is used to distribute more lethal forms of malware. The trouble is, as malware continues to move laterally through an environment, it might be months before IT organizations realize their entire application portfolio is riddled with it.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1615 posts and counting. See all posts by Mike Vizard