Cloud-Native Applications at Risk From Zero Touch Attacks

Twistlock set up a honeypot with vulnerable applications to see what would happen and was quickly attacked by automated botnets looking to exploit unpatched vulnerabilities.

Twistlock Cloud Native security report

Organizations of all sizes are increasingly choosing to deploy and consume cloud-native applications, though not all deployments are secure. Container security firm Twistlock released a study on Sept. 13, reporting that 60 percent of cloud-native applications have not been patched to the latest version.

The 15-page Cloud Native Security report, titled Watching the Honeypots, benefits from two different approaches to identifying risks. Twistlock scanned publicly accessible servers on the internet and also hosted its own honeypot to see what would happen.

"Mostly these were standard images from common registries like Docker Hub," Ariel Zelivansky, a security researcher at Twistlock, told eWEEK. "In some cases, we wanted to test specific, atypical configurations, but even then the apps were common off-the-shelf apps in common use across many organizations."

Twistlock has a vested interested in cloud-native security, seeing as the company's technology is all about providing security to container and cloud-native environments. Twistlock released its first container security platform in November 2015, providing runtime security for container application deployments, and has steadily updated its platform in the years since. In a video interview with eWEEK in July, Twistlock CTO John Morellos said the attacks seen against containers in general are largely the same as those seen against virtual machines and physical servers.

Among the high-level findings on the scanning side of the report is that 80 percent of the MySQL database instances that Twistlock scanned on the public internet were out-of-date, being one or more versions behind the most recently released version. Aside from MySQL, other deployed applications that Twistlock found not the most recent versions include ElasticSearch, Redis, CouchDB and Tomcat. 

While it is often considered to be a best practice to run the most updated version of an application, in some cases, security patches are backported to older versions of software. Twistlock reported that across the cloud-native applications it scanned, 25 percent were deployed and running with a vulnerability that has a known exploit.

Automated 'Zero Touch' Attacks

Twistlock deployed a honeypot—a purposely deployed vulnerable server to attract hackers—to better understand the state of cloud-native security, according to Zelivansky. Twistlock's honeypot did in fact attract hackers, with 90 percent of the attacks being automatically executed. The company refers to the automated attacks as being "zero touch" as they don't involve much, if any, human interaction.

"By attacks, we are referring specifically to an exploitation or breach attempt, such as brute-forcing the login, trying commands that might work with bad settings or otherwise running real exploits known or not," he said.

A brute force attack is one in which an attacker repeatedly tries different usernames and passwords in an attempt to gain access. Zelivansky added that Twistlock also looked at parameters such as timing between commands and request, typos, user-agents and other components to detect if an attack was manual or automated.

"We encountered different attacks with different levels of sophistication, from trying to use default passwords to sending packed and obfuscated commands that exploit a known vulnerability," he said.

One of the surprising things that happened to the Twistlock honeypot, according to Zelivansky, was the discovery of a large-scale automated attack coming from China. The Chinese operation targeted multiple applications, including Twistlock's MySQL and Elasticsearch honeypots. 

"They tried exploiting different CVEs with the same malware binaries as a payload, with binaries both for Linux and Windows that were unrecognized in Virustotal at the time we caught them," he said. "We started investigating and found tens of compromised HFS servers hosting their malware binaries."

Best Practices

There are multiple things that organizations can and should do to improve the security of cloud-native application deployments.

"From a security perspective, patching and sealing all known security issues is clearly the first concern," Zelivansky said.

He noted, however, that even if scanning tools show that a deployment is up to date, there are still countless unpublished zero-day vulnerabilities that attackers can use against an organization.

"Having some security monitoring tool to detect attacks as they happen can save you a headache. Of course, something that can effectively prevent such attacks is even better," he said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.