Aqua Security: 50% of new Docker instances attacked within 56 minutes

Where does your enterprise stand on the AI adoption curve? Take our AI survey to find out.

Fifty percent of new misconfigured Docker instances are attacked by botnets within 56 minutes of being set up,  Aqua Security said in its 2020 Cloud-Native Report. Five hours, on average, is all it takes for an attacker to scan a new honeypot, the pure-play cloud native security company said.

Above: Cryptocurrency mining remains the main objective of most attacks, with more than 90% of the images executing resource hijacking.

The majority of attacks were focused on crypto mining, which may be perceived as “more of a nuisance than a severe threat,” Aqua Security noted. However, 40% of attacks also involved backdoors to gain access to the victim’s environment and networks. Backdoors were enabled by dropping dedicated malware or creating new users with root privileges and SSH keys for remote access. More than 36% of attacks involved worms to detect and infect new victims.

Adversaries keep searching for new ways to attack cloud native environments. They  are not just looking for port 2375 (unencrypted Docker connections) and other ports related to cloud native services, Aqua Security noted in the research. There were campaigns targeting supply chains, the auto-build process of code repositories, registries, and CI service providers. There are also attacks through Docker Hub and GitHub where adversaries relied on typo-squatting — or misspellings of popular, public projects — to trick developers into pulling and running malicious container images or code packages.

Attackers are extending their arsenals with new and advanced techniques to avoid detection, such as leveraging privilege-escalation techniques to escape from within containers to the host machine.

The report analysis was conducted using Aqua Security’s Dynamic Threat Analysis (DTA) tool, which is powered by the open source project Tracee. The software enables users to perform runtime security and forensics in a Linux environment using eBPF (a Linux firewall framework). The attackers’ techniques were classified according to the MITRE ATT&CK framework to map the full, improved attacker arsenal all the way from Initial Access to Data Exfiltration, and everything in between.

Between June 2019 and December 2020, the team at Aqua observed that botnets are swiftly finding and infecting new hosts as they become vulnerable. The team observed 17,358 individual “honeypot” attacks with increased sophistication in terms of privilege escalation, hiding and persistence. The average number of attacks also rose -– from 12.6 per day in second half of 2019 to 77 per day in the first half of 2020. By the second half of 2020, the number average number of attacks was 97.3 per day.

Read Aqua Security’s full Cloud Native Threats report and detailed attack analysis.


  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Source: Read Full Article