An analysis from cybersecurity firm Cyble has found over 900,000 Kubernetes (K8s) exposed across the internet and thus vulnerable to malicious scans and/or data-exposing cyberattacks.
The researchers clarified that while not all exposed instances are vulnerable to attacks or the loss of sensitive data, these misconfiguration practices might make companies lucrative targets for threat actors (TA) in the future.
For context, Kubernetes is an open-source system designed to automate the deployment, scaling and administration of containerized applications.
K8s rely on a combination of physical and virtual machines to create a uniform application programming interface (API) that ensures there is no downtime in a production environment.
While extremely useful for these reasons, when not properly configured Kubernetes can represent a vulnerability that could lead to data exfiltration and other hacking attempts.
For instance, back in March 2018, Tesla’s cloud was compromised due to insecurely configured Kubernetes clusters, and in June 2020, hackers infiltrated a K8s toolkit to spread cryptocurrency mining malware across multiple clusters.
More recently, security researchers from Apiiro discovered a vulnerability in the open-source continuous delivery platform Argo CD that lets attackers access and exfiltrate sensitive information like passwords and API keys from clusters.
“Online scanners have made it easy for security researchers to find the exposure of assets,” explained the Cyble researchers in an advisory.
“Regardless, at the same time, malicious hackers can also investigate the exposed Kubernetes instance for a particular organization, increasing the risk of attack.”
The Cyble analysis noticed that the United States has the highest exposure count, followed by China and Germany.
Many of the misconfigured clusters spotted by cybersecurity researchers were due to the use of default settings.
“Misconfigurations like utilizing default container names, not having the Kubernetes Dashboard protected by a secure password and leaving default service ports open to the public can place businesses at risk of data leakage.”
To avoid misconfigurations, Cyble said companies should keep Kubernetes updated to the latest version and remove debugging tools from production containers.
Further, Individuals with access to the Kubernetes API should have their permissions reviewed thoroughly and on a regular basis, and exposure of critical assets and ports should be limited as much as possible.
For additional recommendations and technical details, you can access the full text of Cyble’s advisory here.