How Container Vulnerabilities Can Put Software Supply Chain at Risk

Containers have changed how cloud-native apps are built and deployed. They have made it a lot easier and faster to test apps and apply updates and patches to them compared to traditional virtual machines (VM). With the growing adoption of the cloud, the use of containers has also increased, making them a hot target for cyberattackers. 

Recent reports indicate, attacks against container infrastructure have been rising and getting more sophisticated by the day. For instance, a June reportOpens a new window by Aqua Security found that botnets attack 50% of new misconfigured Docker APIs within 56 minutes of being set up. Also, daily attacks grew 26% on average between the first half and second half of 2020. It implies that if a container is set up today, it has to be secured from the start. Delaying it even for a day can be too late. 

“Use of containerized applications is growing. Containers by themselves are no more vulnerable than any other method for deploying an application. And, when containers and the infrastructure running them are configured correctly, containers can provide more security, ” said Kirsten Newcomer, Director, Cloud and DevSecOps Strategy at Red Hat.

Attackers are constantly looking for new techniques to exploit containers. They usually look for a vulnerability that would give them initial access to the container environment and then try to take over the host environment, steal credentials and insert backdoors. 

Though cryptomining is still one of the key motives for targeting containers, threat actors are now going after software supply chains. 

How Can Container Vulnerability Risk the Supply Chain 

In the digital world, a minor attack is often a precursor to a larger attack. Attack on a container can open the doors for attackers to a much wider software supply chain network. As more organizations embrace cloud-native infrastructure, including containers and serverless computing, to build their applications, the opportunity for attackers is also widening. Not to forget that digital adoption is by and large collaborative and driven by an ecosystem where many components are sourced from other companies. An attack on any component is going to send ripples down the entire supply chain network. 

During their research, Aqua Security identified several large attack campaigns targeting supply chains, the auto-build process of code repositories, registries, and CI (continuous integration) service providers.

Om Moolchandani, CTO, CISO and Co-founder at Accurics, a cloud cyber resilience company, warns, “an attack could contaminate an open source software supply chain component used by the majority of businesses across the globe that have embraced digital or cloud (technologies), such as a Linux container image. A successful attack like this would mean all the technology providers using that component to provide organizations with the solutions they need to run their businesses could then be compromised.” 

Learn more: What Is DevOps? Definition, Goals, Methodology, and Best Practices

Moolchandani believes the industry will soon be witnessing a wave of new ransomware attacks leveraging the supply chain through containers and cloud-native infrastructure. “Imagine an attack vector where the attacker injects malicious code into the container image located in a container trusted registry. In this scenario, a container can directly waterhole into a cloud native cluster and provide an adversary the capability to take over the victim’s entire container cluster, just like how the SolarWinds supply chain attack took over a non-cloud native infrastructure,” he added. 

Iain Smart, Containerization & Orchestration Practice Lead at NCC Group, a security consultancy, also feels that a compromised container can risk a software supply chain. 

“If external dependencies are not manually validated and the source of these dependencies are compromised, a pipeline may ingest these components and provide an attacker with access to a build environment. With sufficient access, an attacker may then be able to modify the build process,” points out Smart. 

According to Red Hat, containers can be exploited to target the supply chain in four ways:

Compromised image registry – An attacker who has compromised your container image registry can add an insecure image in the registry that can compromise the supply chain when the user pulls that image.

Compromised private registry in the cloud – When using a private registry offering from a cloud service provider such as Amazon Elastic Container Registry (ECR) or Azure Container Registry (ACR), the user needs the cloud credentials for registry authentication. If the cluster environment is compromised, an intruder may hack into the registry and have full access to its images.

Compromised cloud credentials – When containerized workloads are deployed in the cloud, compromised cloud credentials can lead to a host of security threats to the supply chain.

Compromised mutating webhook – If an attacker gets privileged credentials to Kubernetes, the backbone of container orchestration, they can set a mutating webhook to modify application deployment configurations. This could allow them to alter an images registry and compromise the supply chain of the image or components the application depends on.

Learn more: Why Managed Kubernetes as a Service Should Be a Part of Your DevOps Strategy 

What Makes Containers Vulnerable?

Containers, in general, enhance transparency. However, managing them can still be tricky, given their multi-layered deployments. For instance, the use of orchestration tools such as Docker Swarm or Kubernetes to manage connections between different containers can impact visibility. 

Smart points out, container-based environments, mainly where orchestration technologies like Kubernetes are used, come with additional operational complexity alongside their benefits.

“Containers and cloud-native infrastructure are notoriously difficult to secure with traditional tools, and building and managing these systems can require considerable effort and expertise. That’s even more apparent when these systems evolve over their lifecycle through development, pre-production and production. Building systems is even more complicated—teams struggle to package and share the components within these systems. Over time, container configurations can get very unwieldy,” explains Moolchandani.

The complexity also increases the risk of misconfigurations. According to Palo Alto NetworksOpens a new window , some prominent misconfiguration practices that can open organizations to new attacks are still very common. In 2019, Docker Hub lost keys and tokens for around 190,000 accounts. The attacker had reportedly exploited weak security configurations of key and token storage. In September 2020, a massive attack against GitHub, Docker Hub, Travis CI, and Circle CI was also reported by Aqua Security. 

Container platforms with little customization and poor security configuration can also expose API endpoints and make them publicly identifiable on Shodan search with simple keyword searches such as “kubernetes,” “docker,” or even “k8s”. 

“The “contained” nature of containers helps to prevent an attacker from laterally moving throughout your infrastructure and targeting other applications. (However) many attacks seen in the wild are simply attributable to the misconfigurations that come with lack of mature security procedures or the learning curve on how to secure containerized infrastructure itself,” said Newcomer.

To make matters worse, attackers are using advanced obfuscation techniques such as executing malware straight from memory, packing binaries and using rootkits. Security experts unanimously agree that practitioners need to be constantly aware of any misconfigurations which can open up containers and Kubernetes clusters to cyberattacks.  

How To Secure Containers?

Securing containers is a continuous process. It requires regular scanning of vulnerabilities, audit of privileged access and proper training of teams, so they know what components to use and what security practices to follow. 

“Container security should be established as a continuous process and implemented into the software delivery lifecycle from its very beginning, on an architectural level. Every link of the chain must be secured – from the host running the container platform, to the platform itself, and the applications inside,” said Pavel Kuznetsov, Deputy Managing Director, Cybersecurity Technologies, at Positive Technologies, a security consultancy firm. 

Learn more: Supply Chain Evolution: From Containerization to Computerization

According to Red Hat, to protect containers, organizations should: 

• Automate infrastructure configuration and application pipelines with security gates that make it easier to find security issues early in the life cycle and update container images to address problems found in production.
• Start with minimal base images and remove unnecessary components.
• Test early and often using IDE plugins and CI solutions.

• Minimize capabilities granted to containerized applications.
• Ensure that the host OS is appropriately configured to prevent or mitigate container escapes, for example, by ensuring that SELinux is on in enforcing mode. 
• Ensure that actions in the pipeline are logged and audited. 
• Tightly manage and audit privileged access to your application platform.
• Minimize known insecure configurations, such as mounting the container runtime socket with admission controllers.
• Create standard hardened images that meet organizational policies for common applications and components configurations like NGINX and Redis. 

Conclusion

Since most cloud-native apps are built using containers, they have become a tempting target for attackers. Security experts warn that container attacks are likely to increase further as attackers begin to grasp the long-term benefits of exploiting them. Securing the containers can go a long way in ensuring the supply chain’s resilience and preventing many large-scale attacks. 

Do you think securing containers will help mitigate many cyberattacks in future? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!