Attackers still prefer to use cryptominers in cloud attacks, but the use of backdoors, rootkits and credential stealers are on the rise. Pictured: A visitor tries out a tablet computer next to a cloud computing and technology symbol at a technology trade fair in Germany. (Sean Gallup/Getty Images)

New research released Wednesday from Aqua Security found that while cryptominers were the most common malware observed, the researchers discovered increased use of backdoors, rootkits, and credential stealers — signs that intruders have more than cryptomining in their plans.

Team Nautilus, Aqua’s research group, said they found backdoors in 54% of attacks observed — up 9% compared with 2020. The researchers also found that 51% of the malicious container images contained worms, up 10% compared with 2020. Threat actors also broadened their targets to include CI/CD and Kubernetes environments. The researchers said in 2021, 19% of the malicious container images targeted Kubernetes, up 9% compared with the previous year.

“These findings underscore the reality that cloud native environments now represent a target for attackers and that the techniques are always evolving, said Assaf Morag, threat intelligence and data analyst lead for Aqua’s Team Nautilus. “The broad attack surface of a Kubernetes cluster is attractive for threat actors, and then once they are in, they are looking for low-hanging fruit.”

Cloud-native design relies on a new technology stack that puts containers, Kubernetes, and service mesh front and center, said Yaniv Balmas, vice president of research at Salt Security. Balmas said it also generates a lot of API development, integration, and consumption, which significantly expands the attack surface.

“Crypto mining, backdoors, rootkits, credential stealers — these are all part of the cloud-native attacker’s toolkit," Balmas said. “But this list is not exclusive — there have also been cases of server-side request forgeries that have created significant damage. A good example is the Capital One incident where attackers used web applications or web APIs as the front door into back-end cloud provider metadata services and infrastructure.

Ratan Tipirneni, president and CEO at Tigera, said as the container and Kubernetes market matures, we see customers move mission-critical workloads to these platforms. This will change the nature of attacks as attackers move from innocuous activities like cryptomining to more damaging attacks to steal data and hold companies to ransom, said Tipirneni.
 
“While cloud native workloads bring a lot of benefits, we have to contend with the fact that they bring a very large attack surface with them and provide more on-ramps for attackers,” Tipirneni said. “While it’s uncomfortable to deal with, we need to confront the fact that persistent threats are likely to be injected into modern cloud workloads and may exist for extended periods of time. Preventing lateral movement has to become baseline security hygiene similar to image scanning.”