Posted: 3 Min ReadFeature Stories

Attackers Get (Virtually) Mean

Online criminals and vandals are targeting containers and virtual machines, in some cases compromising insecure infrastructure and causing other mischief

A decade ago, websites and business applications ran on clusters of servers in corporate data centers. Today, that infrastructure has gone virtual with software containers and virtual machines increasing used to host applications and business services, sometimes in datacenter-hosted private clouds, but most often on public cloud infrastructure.

Where information technology goes, attackers follow. More than half of companies have experienced attacks on their cloud infrastructure. And much of attackers' focus has been on containers.

In 2017, for example, researchers found a chain of attacks that could exploit Docker for Windows to load in malicious containers if the developer browsed an attacker-controlled website. More frequently, attackers have exploited businesses' failure to actively manage their infrastructure and security. Misconfiguration of applications hosted in virtualized environment often leaves open a path for intruders to get into the infrastructure.

"In the wild, we have seen bitcoin mining attacks—a developer will download an open-source container and behind the scenes there will be a bitcoin miner," said Amir Jerbi, a veteran enterprise security executive. "We have also seen a lot of attacks on the infrastructure itself, such as Kubernetes (used for orchestration). Companies set up Kubernetes in an insecure way, and attackers will use that to infiltrate the organization."

Because container technology and deployments continue to take off, the infrastructure will become increasingly popular to attackers. Nearly half of all companies have adopted Docker containers in some way. Among businesses that have created private clouds, 50% used VMWare's vSphere for managing virtual machines, but other virtualization infrastructure is also popular to a lesser extent. Only 22% of firms installed applications directly to bare-metal servers, the report found.

The rewards to a successful hacker make the challenge worth it, said Ashok Banerjee, vice president of engineering for Symantec.

"Cloud services are increasingly multi-tenant so hacking one (instance in a) multi-tenant cloud service hacks-all customers of the multi-tenant service," he said.

Attackers Look for Misconfigurations

As virtualization and cloud use become standard, attackers will continue to target both technologies. Vulnerabilities have already been found in the software that make containers and virtual machines possible, attackers are more likely to exploit vulnerabilities in the applications running in VMs and containers or convince developers to download malicious VM and container images.

The latest attempts to monetize the cloud focuses on using VMs and containers with backdoor code to run coin-mining software, turning a victim's workloads into bots. In May, for example one coin miner was found to have used Docker containers to mine Monero for over a year, making $172,000 at current rates.

With companies deploying applications with multiple components as microservices, they need to secure every component to protect the whole.

Piecing together applications from multiple microservices is easy, but doing it securely is hard, said security consultant Wesley McGrew. At this year's Black Hat Briefings, McGrew described containers and microservice architecture from the view of an attacker. With virtual systems connected through networking protocols and APIs, a containerized application looks like a more concise version of the corporate network, he said.

"Once you (compromise a component), the application looks like a small network," he said. "Attackers can explore using typical tools, intercept and inject—all the things they would do in a large-scale network but, instead, in a microcosm of a network."

Done Right, Containers and VMs are Secure

Virtual machines and containers can add a great deal of security to any application deployed using the infrastructure. The first benefit is the ability of the technologies is isolation, preventing limiting the ability of applications running inside a container or virtual machine to access data in other virtualized instances.

"As a result of that isolation, the containers themselves only get access to required resources and required access that they need," said Banjot Chanana, vice president of product for Docker. "That is a huge boon for any application as soon as you containerize it."

Containers are also immutable objects, which prevents attackers from adding programs or editing the applications and data inside the virtualized instance. Virtual machines save their state between executions, but containers do not.

"You get the benefit of being able to say, I know its state," Chanana said. "If it ever deviates from that known state, you can redeploy it."

Finally, because virtual machines and containers run on top of a host operating system, any application running inside an instance can easily be instrumented. This gives operations teams much more visibility into the execution of the application and a chance to spot anomalies.

However, these security benefits will not help if the containers and applications are not configured correctly.

In a presentation at Container Camp last year, two consultants demonstrated how an attacker might approach a containerized app. Their three-step process: Scan the application's external connections to the internet, install code and elevate privilege, and break out of the container.

Because containerized applications tend to have a more complex architecture, preventing an attack against the whole application means hardening every component, said Symantec's Banerjee.

"Attackers always look for the weakest link in the entire security chain," he said. "Therefore, for cyber-defense, we have to look for an integrated chain, and (realize that) security is only as strong as the weakest link."

Symantec Enterprise Blogs

How Snapper Further Protects Data in Amazon S3 using CWP for Storage

Join our webinar to learn why Snapper chose CWP for Storage to help protect the customer data stored in their Amazon S3 buckets

Register Here

About the Author

Robert Lemos


Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for two decades. He has covered cybercrime and security technology for almost two dozen publications.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.