The Great Escape: A Blast Radius Analysis of Container Attacks
By Assaf Morag
In 2021, container attacks have been on the rise. We observed numerous attacks that were designed to escape container environments to the underlying host, increasing the impact of the attack. To understand how much damage can be caused when an attacker manages to escape a container, we conducted an analysis of real-world container attacks to determine their blast radius.
We identified 105 hosts in the wild that were victims of malicious container images and analyzed the blast radius, or rather, the total potential impact, of the attacks. Our analysis showed that 36% of the victim hosts had multiple severe vulnerabilities and misconfigurations that could potentially lead to severe damage. In addition, 70% of the hosts had mild potential for credential theft and lateral movement.
Resources Vulnerable After Container Escape
- Remote services: Threat actors try to obtain SSH keys to gain access to sensitive services and move laterally to additional hosts.
- Cloud metadata: Attacks attempt to collect cloud metadata, which can be used to obtain keys or secrets for accessing other accounts or environments.
- HTTP services: Unencrypted HTTP services may expose credentials or sensitive information when intercepted by attackers with host access.
- Databases: Database services are susceptible to direct attacks, and some are installed by default without credentials, leaving them open to attackers.
Case Study: Blast Radius Example
In a case study of one victim host, we discovered multiple exploitable resources including unprotected websites using HTTP, installed MySQL and Redis databases, and Apache ZooKeeper with critical vulnerabilities running in a cluster with over 200 nodes containing critical data.
Several weeks later, these 105 victim hosts were analyzed once again: 50% had completely corrected all vulnerabilities and misconfigurations, 12% fixed some but not all issues, and 25% didn't change anything. This suggests that most security practitioners can detect vulnerabilities, but they either fail to do so in a timely manner, or fail to fix the issue quickly.