Cryptojacking, DDoS attacks increase in container-based cloud systems

Cryptojacking is the most common form of attack against container-based systems running in the cloud, while geopolitical motivations—mainly related to Russia’s war against Ukraine—factored into a fourfold increase in DDoS (distributed denial-of-service) attacks this year, according to a new report from cybersecurity company Sysdig.

As containers are increasingly used in cloud-based systems, they have also become an important attack vector for supply chain attacks, according to the 2022 Sysdig Cloud Native Threat Report, released Wednesday and based on findings from the Sysdig Threat Research Team (Sysdig TRT).

“Because container images are designed to be portable, it is very easy for one developer to share a container with another individual,” according to the report. “There are multiple open source projects available providing the source code to deploy a container registry or free access container registries for developers to share container images.”

Public container repositories contain malicious images

Public container image repositories such as Docker Hub are increasingly being filled with malicious images that contain cryptominers, backdoors and other threat vectors disguised as legitimate software applications, noted Sysdig, which specializes in container and cloud security products.

Cryptojacking—the unauthorized use of computing infrastructure to mine cryptocurrency—remains the primary motivation for opportunistic attackers, exploiting critical vulnerabilities and weak system configurations, the report said.

“In the Docker Hub analysis total unique malicious images in the reported data set was 1,777. Of those, 608 or 34% contained miners,” said Michael Clark, director of threat research at Sysdig. 

The high prevalence of cryptojacking activity is attributable to the low risk and high reward for the perpetrators. Cryptojackers make $1 of profit for every $53 in compute resources the victim is billed, according to Sysdig. The company based this calculation on an analysis of activities conducted by a threat actor called TeamTNT, and the cost of cryptomining.

Using a global network of honeypots, Sysdig TRT was able to track TeamTNT’s cryptojcaking activity. The Sysdig research team attributed more than $8,100 worth of stolen cryptocurrency TeamTNT, which was mined on stolen cloud infrastructure, costing the victims more than $430,000. 

“This is calculated by figuring out how much it costs to mine one crypto coin on an AWS instance and comparing it to the dollar value of that coin,” Clark said. 

“The cost to the attacker is effectively zero while the victim gets to foot the expensive cloud infrastructure bill,” Clark said. 

Russia-Ukraine conflict contributes to DDoS attacks

 The Sysdig repot also noted that there has been a jump in DDoS attacks that use containers since the start of Russian invasion of Ukraine.

“The goals of disrupting IT infrastructure and utilities have led to a four‑fold increase in DDoS attacks between 4Q21 and 1Q22,” according to the report. “Over 150,000 volunteers have joined anti‑Russian DDoS campaigns using container images from Docker Hub. The threat actors hit anyone they perceive as sympathizing with their opponent, and any unsecured infrastructure is targeted for leverage in scaling the attacks.”

Otherwise, a pro-Russian hacktivist group, called Killnet, launched several DDoS attacks on NATO countries. These include, but are not limited to, websites in Italy, Poland, Estonia, Ukraine, and the United States.

 “Because many sites are now hosted in the cloud, DDoS protections are more common, but they are not yet ubiquitous and can sometimes be bypassed by skilled adversaries,” Sysdig noted.  “Containers pre‑loaded with DDoS software make it easy for hacktivist leaders to quickly enable their volunteers.”

Preventing attacks on cloud systems

Having a layered defense is the best way to prevent these attacks on cloud-based systems. according to Sysdig. “Cloud security teams should implement preventative controls like vulnerability and permissions management to make it difficult for attackers to compromise their infrastructure,” Clark said.  

Additionally, techniques such as machine-learning-based cryptominer detection should be used to alert security teams and block any attacks that make it through, he adds. 

For cryptominer attacks, preventative controls via IAM (identity and access management) and CIEM (cloud infrastructure entitlements manager) technology make it very hard for an attacker to provision instances on a legitimate user’s behalf, Clark said.