The number of fileless or memory-based attacks that exploit existing software, applications, and protocols have surged 1,400% in the last year. That\u2019s according to Aqua Security\u2019s 2023 Cloud Native Threat Report, which summarizes research and observations of threat actors\u2019 changing tactics, techniques, and procedures (TTPs), along with outlining strategies for protecting cloud environments.\n\nBased on analysis by Aqua Nautilus researchers of 700,000 real-world attacks, the report covers three key areas: software supply chain, risk posture (including vulnerabilities and misconfigurations), and runtime protection. Among key findings is that threat actors are heavily investing resources to conceal campaigns and avoid detection to establish a stronger foothold in compromised systems. Meanwhile, various areas in the cloud software supply chain remain vulnerable to compromise and pose significant threats to organizations, the report stated.\n\nThreat actors use multiple techniques to conceal campaigns\n\nThreat actors are using many techniques to conceal their campaigns from agentless solutions, according to the report. Aggregated honeypot data collected over a six-month period showed that more than 50% of attacks focused on defense evasion. Attacks include masquerading techniques, such as files executed from \/tmp, and obfuscated files or information, such as dynamic loading of code. In addition, threat actors used memory resident malware in 5% of attacks, Aqua said.\n\nThe most persuasive evidence of threat actors\u2019 increasing and successful efforts to evade agentless technology was found in the \u201cHeadCrab\u201d campaign, detected in early 2023. \u201cThis advanced threat actor uses state-of-the-art, custom-made malware that is undetectable by agentless and traditional antivirus technologies,\u201d the report read. Aqua found evidence that HeadCrab has taken control of at least 1,200 Redis servers, some of them belonging to security companies. \u201cThe malware uses Redis commands and creates new commands to increase capabilities on its victims\u2019 servers.\u201d Such evasive attack techniques highlight the importance of agent-based runtime security, Aqua said.\n\n4 steps to tackling evasive, concealed attacks\n\nAssaf Morag, lead threat intelligence researcher for Aqua Nautilus, advises businesses to implement four steps to mitigate the threats of attacks that use evasion\/concealment to avoid cloud security defenses:\n\nSoftware supply chain complexity creates large attack surface\n\nThe report also highlights how software supply chain complexity presents a large attack surface that includes various applications, potentially leading to misconfigurations and vulnerabilities. Aqua\u2019s data indicates that supply chain attacks grew by more than 300% year-over-year. One area that the report focuses on is how threat actors exploit software packages and use them as attack vectors to subvert the wider software supply chain. \u201cThrough our research, we demonstrated how attackers can perform reconnaissance and exploit packages in the NPM package manager,\u201d Aqua wrote. This involved using NPM\u2019s API to detect private packages and identifying flaws in two-factor authentication that could enable account takeover attacks.\n\nFurthermore, the firm discovered a logical flaw called \u201cpackage planting,\u201d which allows attackers to disguise malicious packages as legitimate, as well as a vulnerability (CVE-2022-32223) in all Node.js versions that could allow the embedding of malicious code into packages and lead to privilege escalation\/malware persistence in Windows environments. Aqua researchers found over 770 million logs of free-tier users exposed to the internet, and after downloading a sample of 7 million logs (~1%), they discovered tens of thousands of exposed tokens, secrets, and other credentials \u2013 50% of these secrets and credentials were still active, according to the report.\n\nTop 10 vulnerabilities scanned in 2022\n\nAqua\u2019s report lists the top 10 vulnerabilities scanned last year, with most related to remote code execution. \u201cThis reinforces the idea that attackers are looking for initial access and to run malicious code on remote systems. Additionally, we see that Apache servers and services are widely targeted, as Log4Shell, Text4Shell, Spring Framework, and other services are all related to Apache.\u201d\n\nThe top 10 vulnerabilities in the report are:\n\nAs for the severity of vulnerabilities in 2022, 27% were critical, 35% were high, 37% were medium, and 1% were low, according to Aqua.