Advanced persistent threats (APTs) are known to use the most advanced techniques, but we don’t often hear about APT involvement in cloud native environments. In a recent campaign that targets containers, Team Nautilus researchers detected a program that provides continued privileged access to the targeted system, while actively hiding its presence. This program is known as rootkit and it is designed to operate in the lower levels of an operating system which makes it highly dangerous. In fact, the attackers are using two types of rootkits – “user space rootkits” and “ kernal space rootkits” – underscoring how advanced attacks against cloud native environments have become.
Team Nautilus found a few dozen hosts in the wild that were targeted by that campaign, which can be attributed to TeamTNT. The attackers used advanced techniques that are usually leveraged by APTs. The campaign targets cloud native environments specifically by running malicious containers, and the volume of attacks has been intensive. Team Nautilus observed hundreds of attacks per each infected host, with 20 attacks per day on average. The campaign is still ongoing.
Tracking a daily attack volume throughout May to August 2021 and the number of newly infected hosts per day, Team Nautilus identified the attack process. Initially, the adversaries exploit a misconfigured docker daemon to run an Alpine container image along with a malicious command that mounts the host file system to escape the container and gain access to the host. After the attacker escapes to the host, they write a command in the scheduler system that is designed to download and execute a malicious shell script from a remote source, before finally implementing the malware.
Throughout this aggressive campaign, the attackers gained initial access to the targeted cloud environment and aimed to extend their persistence over the host. The lowest-hanging fruit in this attack is to hijack resources by executing cryptominers. Normally, this would increase the CPU usage of the host and alert security monitoring solutions. However, by using rootkits, the attackers could in fact conceal the high CPU usage, which significantly decreases the chances of being detected by any monitoring systems.
For further insight into these sophisticated techniques, how adversaries are using them to attack cloud native environments and a detailed analysis of rootkit-attack flows, visit: https://blog.aquasec.com/advanced-persistent-threat-techniques-container-attacks
