The Palo Alto Networks Unit 42 team discovered that almost all third-party cloud containers deployed in public clouds have vulnerabilities and misconfigurations that open businesses to supply chain attacks.
According to Unit 42 Cloud Threat Report 2H 2021 It is reported that 96% of third-party container applications deployed in cloud infrastructures have known vulnerabilities. And 63% of the third-party code templates used in building a cloud infrastructure contained insecure configurations.
The researchers found that advanced persistent threat actors could exploit these vulnerabilities to take over the cloud infrastructure and carry out supply chain attacks like SolarWinds and Kaseya.
Cloud containers are likely sources of upstream attacks on the supply chain
The team analyzed data from multiple public sources around the world to identify the growing threat of attacks on the software supply chain as most companies embrace digital transformation.
The researchers found that most cloud containers contain unchecked third-party code that could introduce vulnerabilities into supply chain attacks. In addition, the third-party code has dependencies whose security visibility was limited.
According to the researchers, threat actors could exploit this loophole to introduce vulnerabilities to execute attacks on the supply chain.
“Teams continue to neglect DevOps security, in part because of neglecting supply chain threats. Cloud native applications have a long chain of dependencies, and those dependencies have their own dependencies, ”they said.
The researchers postulated that DevOps and security teams should be able to see the software bill of materials in cloud containers in all cloud workloads in order to assess the underlying security threats at each stage of the software dependency chain and take countermeasures.
Organizations with sophisticated cloud security are not spared
Unfortunately, these security threats have not only affected new cloud users, but also companies with a mature cloud security position.
Unit 42 researchers conducted a Red Team exercise on a large SaaS customer and discovered several bugs that exposed customers to potential supply chain attacks. Researchers mimicked a malicious actor with restricted access and attempted to access a company’s continuous integration (CI) environments.
Surprisingly, they managed to download each GitLab repository and identify 80,000 cloud resources with 154 unique CI repositories. They also found 26 hard-coded IAM key pairs, including five session tokens and access keys. While session keys expire in a matter of hours, access keys can enable APTs to compromise CI environments when the supply chain is attacked.
Common security problems in IaC
Similarly, the team analyzed 4,055 Terraform templates and 38,480 Terraform files using Bridge Crew’s Checkov. They found that 63% of Terraform templates contain one or more unsafe configurations, while 49% have at least one critical or highly unsafe configuration. The misconfiguration faux pas affected at least 2500 modules in various areas such as identity and access management, encryption, networking, logging, and backup and recovery.
Unit 42 researchers also analyzed 3,155 Helm diagrams and 8,805 YAML files. They found that 99.95% of the Helm diagrams contain one or more unsafe configurations, while 6% contain at least one critical or highly unsafe configuration.
The researchers also analyzed 1,544 cloud containers used in Kubernetes Helm diagrams. These cloud containers were hosted in public registries such as Docker Hub, Google Container Registry (GCR), and Quay. They found that 96% of the cloud containers and 91% of the container images contained at least one critical or major vulnerability. The researchers concluded that the vulnerabilities could be introduced if the Helm chart maintainer does not update the charts or the image maintainer does not update the images.
“With business pressures on development teams, it is impractical to assume that IaC auditing and vulnerability management can make you completely secure,” said Saumitra Das, CTO and co-founder of Blue hexagon, “Organizations are unable to enforce IaC enterprise-wide, and even known CVEs can take weeks and months to patch only on external workloads.
“Even simpler fixes such as misconfigurations take days and weeks to fix themselves after detection. This report is in line with what we’re seeing with companies trying to stay safe in the cloud. The key is not to put all your eggs in the shift-left basket, but to conduct continuous threat detection and response across the entire lifecycle in the cloud, ”he concluded.
#cloud #containers #public #registers #vulnerabilities #misconfigurations #lead #attack #supply #chain