According to a new report from Sysdig, the unified container and cloud security firm, it costs US$430,000 in cloud bills for an attacker to generate US$8,100 in cryptocurrency revenue. 

The report confirms that cryptojacking remains the primary motivation for opportunistic attackers, exploiting vulnerabilities and weak system configurations. 

The Sysdig Threat Research Team (Sysdig TRT) extensively looked at TeamTNT and geopolitical activities over the past nine months using worldwide honeynets. 

Sysdig could conclude TeamTNT, the explosion of malicious payloads in Docker Hub, and the rise in DDoS attacks after the Russian/Ukraine war began.

The rapid shift to containers and the cloud has increased opportunities for attackers to steal data, take advantage of assets, and gain illicit network access. As a result, container images have become a real attack vector rather than a theoretical risk.

The report's key findings include supply chain attacks on containers spawn cryptominers.

Cryptomining is the most common outcome of cloud- and container-based compromises. Attackers are littering public repositories, like Docker Hub, with dangerous container images that contain cryptominers, backdoors, and many other unwelcome surprises, often disguised as legitimate popular software. 

Thirty-six percent of malicious Docker Hub images contain cryptominers. 

Embedded secrets are the second most prevalent, highlighting the persistent challenges of secret management.

In addition, the report says, attackers make US$1 for every US$53 a victim is billed. 

TeamTNT is a notorious cloud-targeting threat actor that generates most of its criminal profits through cryptojacking. 

Sysdig TRT attributed more than US$8,100 worth of cryptocurrency to TeamTNT, which was mined on stolen cloud infrastructure, costing the victims more than US$430,000. 

The full impact of TeamTNT and similar entities is unknowable, but at US$1 of profit for every US$53 the victim is billed, the damage to cloud users is extensive.

The report also notes DDoS attacks surge during conflicts. 

The goals of disrupting IT infrastructure and utilities have led to a four-fold increase in DDoS attacks between 4Q21 and 1Q22.

The conflict between Russia and Ukraine includes a cyberwarfare component with government-supported threat actors and civilian hacktivists taking sides. 

Over 150,000 volunteers have joined anti-Russian DDoS campaigns using container images from Docker Hub. The threat actors hit anyone they perceive as sympathizing with their opponent, and any unsecured infrastructure is targeted for leverage in scaling the attacks.

“Security teams can no longer delude themselves with the idea that containers are too new or too ephemeral for threat actors to bother,” says Stefano Chierici, Senior Security Researcher at Sysdig and report’s co-author. 

“Attackers are in the cloud, and they are taking real money. The high prevalence of cryptojacking activity is attributable to the low risk and high reward for the perpetrators.”

Michael Clark, Director of Threat Research and another report's co-author, adds, "The Ukrainian government globally crowdsourced their cyberwar efforts. This was unprecedented, but it shows that digital transformation has extended well beyond classic IT use cases. Willing and unwilling participants alike contributed their infrastructure to the DDoS disruptions."