Cryptojacking is the most common form of attack against container-based systems running in the cloud, while geopolitical motivations\u2014mainly related to Russia's war against Ukraine\u2014factored into a fourfold increase in DDoS (distributed denial-of-service) attacks this year, according to a new report from cybersecurity company Sysdig.As containers are increasingly used in cloud-based systems, they have also become an important attack vector for supply chain attacks, according to the 2022 Sysdig Cloud Native Threat Report, released Wednesday and based on findings from the Sysdig Threat Research Team (Sysdig TRT)."Because container images are designed to be portable, it is very easy for one developer to share a container with another individual," according to the report. "There are multiple open source projects available providing the source code to deploy a container registry or free access container registries for developers to share container images."Public container repositories contain malicious imagesPublic container image repositories such as Docker Hub are increasingly being filled with malicious images that contain cryptominers, backdoors and other threat vectors disguised as legitimate software applications, noted Sysdig, which specializes in container and cloud security products.Cryptojacking\u2014the unauthorized use of computing infrastructure to mine cryptocurrency\u2014remains the primary motivation for opportunistic attackers, exploiting critical vulnerabilities and weak system configurations, the report said.\u201cIn the Docker Hub analysis total unique malicious images in the reported data set was 1,777. Of those, 608 or 34% contained miners,\u201d said Michael Clark, director of threat research at Sysdig.\u00a0The high prevalence of cryptojacking activity is attributable to the low risk and high reward for the perpetrators. Cryptojackers make $1 of profit for every $53 in compute resources the victim is billed, according to Sysdig. The company based this calculation on an analysis of activities conducted by a threat actor called TeamTNT, and the cost of cryptomining.Using a global network of honeypots, Sysdig TRT was able to track TeamTNT's cryptojcaking activity. The Sysdig research team attributed more than $8,100 worth of stolen cryptocurrency TeamTNT, which was mined on stolen cloud infrastructure, costing the victims more than $430,000.\u00a0\u201cThis is calculated by figuring out how much it costs to mine one crypto coin on an AWS instance and comparing it to the dollar value of that coin,\u201d Clark said.\u00a0\u201cThe cost to the attacker is effectively zero while the victim gets to foot the expensive cloud infrastructure bill,\u201d Clark said.\u00a0Russia-Ukraine conflict contributes to DDoS attacks\u00a0The Sysdig repot also noted that there has been a jump in DDoS attacks that use containers since the start of Russian invasion of Ukraine."The goals of disrupting IT infrastructure and utilities have led to a four\u2011fold increase in DDoS attacks between 4Q21 and 1Q22," according to the report. "Over 150,000 volunteers have joined anti\u2011Russian DDoS campaigns using container images from Docker Hub. The threat actors hit anyone they perceive as sympathizing with their opponent, and any unsecured infrastructure is targeted for leverage in scaling the attacks."Otherwise, a pro-Russian hacktivist group, called Killnet, launched several DDoS attacks on NATO countries. These include, but are not limited to, websites in Italy, Poland, Estonia, Ukraine, and the United States.\u00a0\u201cBecause many sites are now hosted in the cloud, DDoS protections are more common, but they are not yet ubiquitous and can sometimes be bypassed by skilled adversaries,\u201d Sysdig noted.\u00a0 \u201cContainers pre\u2011loaded with DDoS software make it easy for hacktivist leaders to quickly enable their volunteers.\u201dPreventing attacks on cloud systemsHaving a layered defense is the best way to prevent these attacks on cloud-based systems. according to Sysdig. \u201cCloud security teams should implement preventative controls like vulnerability and permissions management to make it difficult for attackers to compromise their infrastructure,\u201d Clark said.\u00a0\u00a0Additionally, techniques such as machine-learning-based cryptominer detection should be used to alert security teams and block any attacks that make it through, he adds.\u00a0For cryptominer attacks, preventative controls via IAM (identity and access management) and CIEM (cloud infrastructure entitlements manager) technology make it very hard for an attacker to provision instances on a legitimate user's behalf, Clark said.