top of page

News & Views

Aqua reports new attacks in the wild

Pure-play cloud native security leader, Aqua Security ( latest research from Team Nautilus reveals a continuing rise in cyberattacks targeting container infrastructure and supply chains with 50% of attacks happening within one hour of identifying vulnerable targets.

The “Cloud Native Threat Report: Attacks in the Wild on Container Infrastructure” ( provides a detailed analysis of how bad actors are getting better at hiding their increasingly sophisticated attacks.

“The threat landscape has morphed as malicious adversaries extend their arsenals with new and advanced techniques to avoid detection,” explains Assaf Morag, Lead Data Analyst with Aqua’s Team Nautilus.  “At the same time, we’re also seeing that attacks are now demonstrating more sinister motives with greater potential impact.  Although cryptocurrency mining is still the lowest hanging fruit and thus is more targeted, we have seen more attacks that involve delivery of malware, establishing of backdoors, and data and credentials theft.”  

Among the new attack techniques, Team Nautilus uncovered a massive campaign targeting the auto-build of SaaS dev environments.  

“This has not been a common attack vector in the past, but that will likely change in 2021 because the deployment of detection, prevention, and security tools designed to protect the build process during CI/CD flow is still limited within most organizations,” adds Morag.

Amongst the findings, the report highlights: higher levels of sophistication in attacks with attackers amplifying their use of evasion and obfuscation techniques in order to avoid detection. These include packing the payloads, running malware straight from memory, and using rootkits.  In addition, 50% of new misconfigured Docker APIs are attacked by botnets within 56 minutes of being set up; and crypto-currency mining is still the most common objective with more than 90% of the malicious images execute resources hijacking.

Team Nautilus utilized Aqua’s Dynamic Threat Analysis (DTA) product to analyse each attack.

The full report can be found at

bottom of page