Palo Alto Networks’ Unit 42 team discovered that almost all third-party cloud containers deployed on public clouds have vulnerabilities and misconfigurations that expose organizations to supply chain attacks.
According to the Unit 42 Cloud Threat Report 2H 2021 report, 96% of third-party container applications deployed in cloud infrastructure contain known vulnerabilities. And 63% of third-party code templates used in building cloud infrastructure contained insecure configurations.
The researchers noted that advanced persistent threat actors could exploit these security flaws to take over cloud infrastructure and execute supply chain attacks like SolarWinds and Kaseya.
Cloud containers are likely sources of upstream supply chain attacks
The team analyzed data from several public sources worldwide to identify the growing threat of software supply chain attacks as most organizations embrace digital transformation.
The researchers found that most cloud containers have unvetted third-party code that could introduce supply chain attack vulnerabilities. Additionally, the third-party code has dependencies whose security visibility was limited.
According to the researchers, threat actors could exploit this loophole to introduce vulnerabilities for executing supply chain attacks.
“Teams continue to neglect DevOps security, due in part to lack of attention to supply chain threats. Cloud-native applications have a long chain of dependencies, and those dependencies have dependencies of their own,” they said.
The researchers posited that DevOps and security teams should gain visibility into the software bill of materials in cloud containers in all cloud workloads to evaluate the underlying security threats at each stage of the software dependency chain and create mitigations.
Organizations with mature cloud security not spared
Sadly, these security threats not only affected new cloud adoptees but also organizations with a mature cloud security posture.
Unit 42 researchers conducted a Red Team exercise on a large SaaS customer and discovered several flaws that exposed the client to potential supply chain attacks. The researchers mimicked a malicious actor with limited access privileges and attempted to access an organization’s Continuous Integration (CI) environments.
Surprisingly, they succeeded in downloading every GitLab repository and identifying 80,000 cloud resources with 154 unique CI repositories. They also found 26 hardcoded IAM key pairs, including five session tokens and access keys. While session keys expire within a few hours, access keys could allow APTs to compromise CI environments during supply chain attacks.
Widespread security issues in IaC
Similarly, the team analyzed 4,055 Terraform templates and 38,480 Terraform files using Bridgecrew’s Checkov. They discovered that 63% of the Terraform templates contain one or more insecure configurations, while 49% had at least one critical or highly insecure configuration. The misconfiguration faux pas affected at least 2500 modules in several areas such as identity and access management, encryption, networking, logging, and backup and recovery.
Unit 42 researchers also analyzed 3,155 Helm charts and 8,805 YAML files. They found that 99.95% of the Helm charts contain one or more insecure configurations, while 6% contain at least one critical or highly insecure configuration.
The researchers also analyzed 1,544 cloud containers used in Kubernetes Helm charts. These cloud containers were hosted in public registries such as Docker Hub, Google Container Registry (GCR), and Quay. They discovered that 96% of the cloud containers and 91% of the container images contained at least one critical or high vulnerability. The researchers concluded that the vulnerabilities could be introduced if the Helm chart maintainer fails to update the charts or if the image maintainer fails to update the images.
“Given business pressure on developer teams, it is impractical to assume you can harden yourself to be fully secure via IaC checking and vulnerability management,” said Saumitra Das, CTO and Cofounder at Blue Hexagon, “Organizations are unable to enforce IaC companywide and even known CVEs can take weeks and months to patch just on external facing workloads.
“Even simpler fixes like misconfigurations take days and weeks to fix even after detection. This report is in line with what we see at organizations trying to be secure in the cloud. The key is not to put all your eggs in the shift-left basket but perform continuous lifecycle threat detection and response in the cloud,” he concluded.