Sysdig Threat Report Reveals Victims Lose $53 for every $1 Cryptojackers Gain

The 2022 Sysdig Cloud Native Threat Report breaks down supply chain attacks against containers and how geopolitical conflict is influencing attacker behaviors

SAN FRANCISCO--()--According to a new report from Sysdig, the unified container and cloud security leader, it costs $430,000 in cloud bills for an attacker to generate $8,100 in cryptocurrency revenue. The report confirms that cryptojacking remains the primary motivation for opportunistic attackers, exploiting vulnerabilities and weak system configurations. Using worldwide honeynets, the Sysdig Threat Research Team (Sysdig TRT) took an extensive look at TeamTNT and geopolitical activities over the past nine months. Sysdig was able to draw conclusions on TeamTNT, the explosion of malicious payloads in Docker Hub, and the rise in DDos attacks after the Russian/Ukraine war began.

Blog: Sysdig 2022 Threat Report: Cloud Native Threats are Increasing and Maturing

The rapid shift to containers and cloud has driven an increase in opportunities for attackers to steal data, take advantage of assets, and gain illicit network access. It’s clear that container images have become a real attack vector, rather than a theoretical risk.

Key Findings

  • Supply chain attacks on containers spawn cryptominers. Cryptomining is the most common outcome of cloud- and container-based compromises. Attackers are littering public repositories, like Docker Hub, with dangerous container images that contain cryptominers, backdoors, and many other unwelcome surprises, often disguised as legitimate popular software. Thirty-six percent of malicious Docker Hub images contain cryptominers. Embedded secrets is the second most prevalent, which highlights the persistent challenges of secrets management.
  • Attackers make $1 for every $53 a victim is billed. TeamTNT is a notorious cloud‑targeting threat actor that generates the majority of its criminal profits through cryptojacking. Sysdig TRT attributed more than $8,100 worth of cryptocurrency to TeamTNT, which was mined on stolen cloud infrastructure, costing the victims more than $430,000. The full impact of TeamTNT and similar entities is unknowable, but at $1 of profit for every $53 the victim is billed, the damage to cloud users is extensive.
  • DDoS attacks surge during conflict. The conflict between Russia and Ukraine includes a cyberwarfare component with government‑supported threat actors and civilian hacktivists taking sides. The goals of disrupting IT infrastructure and utilities have led to a four‑fold increase in DDoS attacks between 4Q21 and 1Q22.
  • Cybercriminals take sides, enabled by civilian volunteers. Over 150,000 volunteers have joined anti‑Russian DDoS campaigns using container images from Docker Hub. The threat actors hit anyone they perceive as sympathizing with their opponent, and any unsecured infrastructure is targeted for leverage in scaling the attacks.

What people are saying

“Security teams can no longer delude themselves with the idea that ‘containers are too new or too ephemeral for threat actors to bother,’” said Stefano Chierici, Senior Security Researcher at Sysdig and Report Co-Author. “Attackers are in the cloud, and they are taking real money. The high prevalence of cryptojacking activity is attributable to the low risk and high reward for the perpetrators.”

“The Ukrainian government globally crowdsourced their cyberwar efforts. This was unprecedented, but it shows that digital transformation has extended well beyond classic IT use cases,” said Michael Clark, Director of Threat Research and Report Co-Author. “Willing and unwilling participants alike contributed their infrastructure to the DDoS disruptions.”

Resources

About Sysdig

Sysdig is driving the standard for cloud and container security. The company pioneered cloud-native runtime threat detection and response by creating Falco and Sysdig Open Source as open source standards and key building blocks of the Sysdig platform. With the platform, teams can find and prioritize software vulnerabilities, detect and respond to threats, and manage cloud configurations, permissions, and compliance. From containers and Kubernetes to cloud services, teams get a single view of risk from source to run, with no blind spots, no guesswork, no wasted time. The largest and most innovative companies around the world rely on Sysdig.

Contacts

Amanda McKinney Smith
amanda.smith@Sysdig.com
703-473-4051

Release Summary

Sysdig's 2022 Threat Report breaks down the price of cryptojacking, supply chain attacks in containers, and the influence of geopolitical conflict.

Contacts

Amanda McKinney Smith
amanda.smith@Sysdig.com
703-473-4051