According to a new report from Sysdig, the unified container and cloud security leader, it costs $430,000 in cloud bills for an attacker to generate $8,100 in cryptocurrency revenue. The report confirms that cryptojacking remains the primary motivation for opportunistic attackers, exploiting vulnerabilities and weak system configurations. Using worldwide honeynets, the Sysdig Threat Research Team (Sysdig TRT) took an extensive look at TeamTNT and geopolitical activities over the past nine months. Sysdig was able to draw conclusions on TeamTNT, the explosion of malicious payloads in Docker Hub, and the rise in DDos attacks after the Russian/Ukraine war began.
The rapid shift to containers and cloud has driven an increase in opportunities for attackers to steal data, take advantage of assets, and gain illicit network access. It’s clear that container images have become a real attack vector, rather than a theoretical risk.
More from Cryptocurrency
- How Can Blockchain Revolutionise Commodity Trading for UK Startups?
- Research Shows Young People Are Investing In Bitcoin Over Gold
- Types of Digital Wallets Explained
- Vitalik Is Taking A Calculated Risk With Ethereum’s RISC-V Proposal
- How Do Crypto Regulations Work in The UK, EU and USA?
- How Step Dubai and Token2049 Are Transforming the Blockchain Event Market
- Ethereum APIs and Web3 Dapps
- Donald Trump Signs First-Ever Crypto Bill Into US Law
Key Findings
- Supply chain attacks on containers spawn cryptominers. Cryptomining is the most common outcome of cloud- and container-based compromises. Attackers are littering public repositories, like Docker Hub, with dangerous container images that contain cryptominers, backdoors, and many other unwelcome surprises, often disguised as legitimate popular software. 36% of malicious Docker Hub images contain cryptominers. Embedded secrets are the second most prevalent, which highlights the persistent challenges of secrets management.
- Attackers make $1 for every $53 a victim is billed. TeamTNT is a notorious cloud‑targeting threat actor that generates the majority of its criminal profits through cryptojacking. Sysdig TRT attributed more than $8,100 worth of cryptocurrency to TeamTNT, which was mined on stolen cloud infrastructure, costing the victims more than $430,000. The full impact of TeamTNT and similar entities is unknowable, but at $1 of profit for every $53 the victim is billed, the damage to cloud users is extensive.
- DDoS attacks surge during conflict. The conflict between Russia and Ukraine includes a cyberwarfare component with government‑supported threat actors and civilian hacktivists taking sides. The goals of disrupting IT infrastructure and utilities have led to a four‑fold increase in DDoS attacks between 4Q21 and 1Q22.
- Cybercriminals take sides, enabled by civilian volunteers. Over 150,000 volunteers have joined anti‑Russian DDoS campaigns using container images from Docker Hub. The threat actors hit anyone they perceive as sympathizing with their opponent, and any unsecured infrastructure is targeted for leverage in scaling the attacks.
What people are saying
“Security teams can no longer delude themselves with the idea that ‘containers are too new or too ephemeral for threat actors to bother,’ said Stefano Chierici, Senior Security Researcher at Sysdig and Report Co-Author. “Attackers are in the cloud, and they are taking real money. The high prevalence of cryptojacking activity is attributable to the low risk and high reward for the perpetrators.”
“The Ukrainian government globally crowdsourced their cyberwar efforts. This was unprecedented, but it shows that digital transformation has extended well beyond classic IT use cases,” said Michael Clark, Director of Threat Research and Report Co-Author. “Willing and unwilling participants alike contributed their infrastructure to the DDoS disruptions.”
Resources
- Blog: Sysdig 2022 Threat Report: cloud-native threats are increasing and maturing
- Download the report: 2022 Sysdig Cloud-Native Threat Report