denisismagilov - stock.adobe.com

News

Darktrace: Developer tools under constant attack

Attackers are using automated tools to target development environments within seconds of them going live, warns Darktrace’s global field chief information security officer

Stephen Withers
By
Published: 06 Nov 2025 2:27

Cloud-based developer tools such as Jupyter Notebook and Selenium Grid are constantly under attack, warns Max Heinemeyer, global field chief information security officer (CISO) at cyber security specialist Darktrace.

The company’s research found that the distribution of targets is widespread across the major cloud platforms and geographies. “It’s not like it’s just the US and Azure – there’s a broad distribution of everything that’s attacked all the time,” he said.

This includes the Asia-Pacific region, according to Tony Jarvis, Darktrace vice-president and CISO for Asia-Pacific and Japan. “I will go to some countries and people will tell me, ‘We’re not interesting, they'll target people in the US instead of us.’ No, they don't.”

Data for the warning comes from Darktrace’s Cloudypot, a globally distributed honeypot network designed to attract attacks on cloud infrastructure. “As soon as there’s a new version of a cloud development tool, there’s a huge spike [in attacks],” said Heinemeyer.

He added that while there is a significant drumbeat of attacks against traditional and cloud infrastructure, “as soon as there was anything new around the cloud systems, you could see people really want to get in there”.

It is only a matter of seconds, or minutes at most, between a system coming online and being probed by attackers. “This is automated, so it’s just as easy to do it against one target as another, no matter what industry you're in, what size organisation you are, or what country you’re in,” said Jarvis. “It's very opportunistic. They’ll go after as much as they can, and anywhere they manage to get through the front door is a bonus.”

While noting this should not be interpreted as attribution, Heinemeyer pointed out that most attacks originate from the Chinese IP address space, a finding he said is consistent with threat intelligence from other suppliers.

Telemetry from the Cloudypots shows that the types of attacks are also changing. “Half of the malware we observed was cryptominers, predominantly Monero miners,” said Heinemeyer. The significance of Monero is that, unlike some cryptocurrencies, it can be mined efficiently on a standard CPU.

“I like to compare these cryptominers to a fungus that’s going through most of the internet. It’s almost everywhere,” he said. “Many companies don’t really care about it, if they see it at all, because it’s not doing anything – it’s just sitting there and siphoning off some electricity to generate cryptocurrency.”

But he warned that loader malware can easily replace or augment the cryptominer module with something more dangerous, such as ransomware, or become the entry point for a targeted attack. “So, while this fungus doesn’t feel too bad at first, it might turn infectious overnight.”

The other risk, added Jarvis, is bill shock. A cryptominer can cause cloud-based virtual machines (VMs) to reach capacity, resulting in more VMs being spun up automatically. “A lot of people get a nasty surprise the following month when they get their cloud bill and they say, ‘We didn't use that much cloud services.’ That was the cryptocurrency mining.”

Skills gap and the ephemeral cloud

A previous Darktrace survey found that skills shortages are one of the biggest cloud security challenges faced by organisations. “If you think it’s difficult to find a good security analyst, good luck finding a security analyst that can also look at the cloud environment and understand cloud attacks and cloud engineering,” said Heinemeyer.

Whether organisations want to hire skilled staff or outsource to a managed security service provider (MSSP), they are facing a huge war for talent, driving the increasing use of automation. “Our tooling and technology should make it so easy that any generalist or any junior person in the SOC [security operations centre] can make the cloud environment secure,” said Heinemeyer.

Part of the challenge is the dynamic nature of a cloud environment. In a traditional on-premise environment, an architecture is designed, implemented, and largely fixed. Changes require a formal request process.

“Cloud is way more dynamic, so things will change whether or not you want them to,” he said. “We’ve got elasticity and new features being rolled out by cloud vendors all the time. We turn them on, we want to play with them and get the benefits, sometimes before we really understand best practices around them and lock them down.”

This means that if you produce a topology diagram, it is out of date within five minutes as resources spin up and down. “That leads to gaps in visibility and gaps in knowledge, so it’s much more difficult to secure,” Jarvis added.

The ephemeral nature of cloud environments also makes investigations extremely difficult, said Heinemeyer. If something potentially malicious happens in a container that disappears within 30 seconds, it is hard for the SOC to understand what occurred.

“You might say, ‘The device is reset so nothing bad can come out of it,’ but if you are in a regulated industry and an auditor asks you, ‘Can you tell me if you had any incidents? What about this alert on your container? Was that an incident? Was that an attacker? Did any personal information get touched?’, your company will be in hot water if it cannot show it had the ability to investigate,” he warned. “That's why we started automating a lot of this plumbing to get the forensic-level data.”

Beyond ‘shift left’

Such issues were supposed to be addressed by DevSecOps, but Heinemeyer argued that most of the attention has gone towards securing the coding environment and the continuous integration pipeline – the ‘shift left’ concept.

“If we look further to the right, where it’s more about alerting, logging, investigation, workflows, you’d usually have different skill sets,” he said. “It’s not so much about reading and understanding code and the Docker pipeline. It’s much more about the SOC investigative workflow, and that’s where things get difficult and the disconnect usually happens. I wouldn’t say DevSecOps is not important, but I think as an industry, we focused a lot on that ‘shift left’ for a long time.”

He suggested that simple team-building activities, such as ‘lunch and learn’ sessions and virtual hangouts, can help bridge the gap between security and operations. Then, when an incident occurs, the wheels are already greased, making it easier for them to work together.

Cloud security should be treated holistically, he advised. During the 1990s and 2000s, IT security added layer upon layer: firewalls, anti-malware, phishing awareness training and monitoring. Organisations should not repeat these slow iterations in the cloud. “We know what best practice is, so implement it from the outset,” he said, adding that cloud security should not be treated as something separate from IT security in general. “Don’t create more silos.”

The SaaS security gap

While much of the discussion focuses on defending cloud infrastructure, software as a service (SaaS) has its own challenges. Heinemeyer pointed out that almost every organisation has adopted products like Microsoft 365, Salesforce, SAP or Dropbox.

“That feels more secure, but it does bring a different set of challenges,” he warned. Instead of worrying about an attacker using BloodHound to compromise a domain controller, the threat is an unexpected login from an unusual location using an administrator’s credentials. He noted a recent uptick in organisations wanting to monitor their Salesforce environments in response to advanced persistent threat (APT) groups targeting the platform.

SaaS makes it easier to consume IT, Jarvis observed, and people tend to trust the vendor’s security efforts. “But we see countless cases where there are vulnerabilities that don’t get picked up until it’s too late,” he said. “Somebody’s in your environment, they've been poking around, and they might have exported data. There is a distinct gap between consuming and feeling safe and actually putting proper protections in place.”

Those protections include not just best practices around passwords, multifactor authentication and passkeys, but also watching for unusual activity. An example would be a Microsoft 365 account login from a country where the company has no presence, especially if the user behaves atypically by changing email rules and creating new folders.

“You’ve got to do the checks and balances and not just try to design it as securely as you can,” said Jarvis. “You can’t protect what you can’t see, so it all starts with getting visibility.”

For SaaS, visibility comes via application programming interfaces (APIs). “We need to get the information out of these systems to be able to check what’s happening inside them,” he said. “The more we can extract, the more we can feed through our machine learning and AI [artificial intelligence] algorithms to start getting an idea of what is normal for a user, account or device.” Any abnormal behaviour can then be examined to determine whether it is an attack.

Security is always about people, processes and technology, in that order, Heinemeyer said, noting that a lot of automation has come to market recently using various machine learning techniques to make life easier for security practitioners. It is not just a matter of bringing more talent to bear, but also of using the right tools, he added.

Read more about cyber security in APAC

Read more on Cloud security