An analysis by cybersecurity firm Siebel found that more than 900,000 Kubernetes (K8s) have been exposed across the Internet and are thus vulnerable to malicious scans and / or data publishing cyber attacks.
Researchers have made it clear that while not all open instances are vulnerable to attacks or loss of sensitive data, these incorrect configuration practices can turn companies into profitable targets for future threat actors (TAs).
In context, Kubernetes is an open-source system designed to automate the deployment, scaling, and administration of containerized applications.
The K8s relies on a combination of physical and virtual machines to create a uniform application programming interface (API) that ensures no downtime in the production environment.
Although extremely useful for these reasons, when not properly configured Kubernetes can represent a vulnerability that can lead to data removal and other hacking attempts.
For example, in March 2018, Tesla Cloud compromised due to insecurely configured Kubernetes clusters, and in June 2020, hackers infiltrated a K8s toolkit to spread cryptocurrency mining malware across multiple clusters.
Most recently, Apiiro’s security researchers discovered a vulnerability in the open-source continuous delivery platform Argo CD that allows attackers to access and extract sensitive information such as passwords and API keys from clusters.
“Online scanners have made it easier for security researchers to detect exposure to assets,” Cybel researchers explained in a statement.
“Regardless, at the same time, malicious hackers can also investigate open quarantines examples for a specific organization, increasing the risk of attack.”
Siebel analysis found that the United States has the highest number of exposures, followed by China and Germany.
Many of the incorrectly configured clusters identified by cybersecurity researchers were due to the use of default settings.
“Incorrect configurations such as using the default container name, not being protected by the Kubernets Dashboard secure password, and keeping the default service ports open to the public can put businesses at risk of data leaks.”
To avoid incorrect configuration, Siebel said companies should update Kubernets to the latest version and remove debugging tools from production containers.
Furthermore, the permissions of individuals who have access to the Kubernets API should be thoroughly and regularly reviewed and exposure to important resources and ports should be limited as much as possible.
For additional recommendations and technical details, you can access the full text of Siebel’s advice Here.
