Victims lose $53 for every $1 cryptojackers gain, according to a new report from Sysdig. Credit: CIS Cryptojacking is the most common form of attack against container-based systems running in the cloud, while geopolitical motivations—mainly related to Russia’s war against Ukraine—factored into a fourfold increase in DDoS (distributed denial-of-service) attacks this year, according to a new report from cybersecurity company Sysdig.As containers are increasingly used in cloud-based systems, they have also become an important attack vector for supply chain attacks, according to the 2022 Sysdig Cloud Native Threat Report, released Wednesday and based on findings from the Sysdig Threat Research Team (Sysdig TRT).“Because container images are designed to be portable, it is very easy for one developer to share a container with another individual,” according to the report. “There are multiple open source projects available providing the source code to deploy a container registry or free access container registries for developers to share container images.”Public container repositories contain malicious imagesPublic container image repositories such as Docker Hub are increasingly being filled with malicious images that contain cryptominers, backdoors and other threat vectors disguised as legitimate software applications, noted Sysdig, which specializes in container and cloud security products. Cryptojacking—the unauthorized use of computing infrastructure to mine cryptocurrency—remains the primary motivation for opportunistic attackers, exploiting critical vulnerabilities and weak system configurations, the report said.“In the Docker Hub analysis total unique malicious images in the reported data set was 1,777. Of those, 608 or 34% contained miners,” said Michael Clark, director of threat research at Sysdig. The high prevalence of cryptojacking activity is attributable to the low risk and high reward for the perpetrators. Cryptojackers make $1 of profit for every $53 in compute resources the victim is billed, according to Sysdig. The company based this calculation on an analysis of activities conducted by a threat actor called TeamTNT, and the cost of cryptomining.Using a global network of honeypots, Sysdig TRT was able to track TeamTNT’s cryptojcaking activity. The Sysdig research team attributed more than $8,100 worth of stolen cryptocurrency TeamTNT, which was mined on stolen cloud infrastructure, costing the victims more than $430,000. “This is calculated by figuring out how much it costs to mine one crypto coin on an AWS instance and comparing it to the dollar value of that coin,” Clark said. “The cost to the attacker is effectively zero while the victim gets to foot the expensive cloud infrastructure bill,” Clark said. Russia-Ukraine conflict contributes to DDoS attacks The Sysdig repot also noted that there has been a jump in DDoS attacks that use containers since the start of Russian invasion of Ukraine.“The goals of disrupting IT infrastructure and utilities have led to a four‑fold increase in DDoS attacks between 4Q21 and 1Q22,” according to the report. “Over 150,000 volunteers have joined anti‑Russian DDoS campaigns using container images from Docker Hub. The threat actors hit anyone they perceive as sympathizing with their opponent, and any unsecured infrastructure is targeted for leverage in scaling the attacks.” Otherwise, a pro-Russian hacktivist group, called Killnet, launched several DDoS attacks on NATO countries. These include, but are not limited to, websites in Italy, Poland, Estonia, Ukraine, and the United States. “Because many sites are now hosted in the cloud, DDoS protections are more common, but they are not yet ubiquitous and can sometimes be bypassed by skilled adversaries,” Sysdig noted. “Containers pre‑loaded with DDoS software make it easy for hacktivist leaders to quickly enable their volunteers.”Preventing attacks on cloud systemsHaving a layered defense is the best way to prevent these attacks on cloud-based systems. according to Sysdig. “Cloud security teams should implement preventative controls like vulnerability and permissions management to make it difficult for attackers to compromise their infrastructure,” Clark said. Additionally, techniques such as machine-learning-based cryptominer detection should be used to alert security teams and block any attacks that make it through, he adds. For cryptominer attacks, preventative controls via IAM (identity and access management) and CIEM (cloud infrastructure entitlements manager) technology make it very hard for an attacker to provision instances on a legitimate user’s behalf, Clark said. Related content news FBI probes into Pennsylvanian water utility hack by pro-Iran group Federal and state investigations are underway for the recent pro-Iran hack into a Pennsylvania-based water utility targeting Israel-made equipment. By Shweta Sharma Nov 29, 2023 4 mins Cyberattacks Utilities Industry feature 3 ways to fix old, unsafe code that lingers from open-source and legacy programs Code vulnerability is not only a risk of open-source code, with many legacy systems still in use — whether out of necessity or lack of visibility — the truth is that cybersecurity teams will inevitably need to address the problem. By Maria Korolov Nov 29, 2023 9 mins Security Practices Vulnerabilities Security news Amazon’s AWS Control Tower aims to help secure your data’s borders As digital compliance tasks and data sovereignty rules get ever more complicated, Amazon wants automation to help. By Jon Gold Nov 28, 2023 3 mins Regulation Cloud Security news North Korean hackers mix code from proven malware campaigns to avoid detection Threat actors are combining RustBucket loader with KandyKorn payload to effect an evasive and persistent RAT attack. By Shweta Sharma Nov 28, 2023 3 mins Malware Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe