Over 350 compromised enterprise and individual Kubernetes clusters are due to two misconfigurations. A cloud native security company recently demonstrated this.
Aqua Security identified Kubernetes clusters from more than 350 organizations, open source projects and individuals that were openly accessible and unprotected. This was the result of several months of research by Aqua's “Nautilus” research team. A notable subset of clusters were associated with large conglomerates and Fortune 500 companies. At least 60 percent of these clusters were attacked and had an active campaign with deployed malware and backdoors. The vulnerabilities were due to two misconfigurations, illustrating how known and unknown misconfigurations can be actively exploited in the wild and have catastrophic consequences.
Known misconfigurations allow access to privileges
In the investigation, Nautilus points to a known misconfiguration that allows anonymous access with privileges. The second lesser-known issue was a misconfiguration of the `kubectl` proxy with flags that unknowingly exposed the Kubernetes cluster to the internet. Affected hosts included organizations from a variety of industries, including financial services, aerospace, automotive, industrial and security. Most concerning were the open source projects and unsuspecting developers who could accidentally trust and download a malicious package. If compromised, one could trigger an infection vector in the software supply chain, impacting millions of users.
Ongoing campaigns against Kubernetes clusters
Nautilus found that about 60 percent of clusters were actively attacked by cryptominers and created the first known Kubernetes Honeypot environment to collect further data on these attacks and shed light on these ongoing campaigns. Key findings include that Nautilus discovered the recently reported novel and highly aggressive Silentbob campaign, revealing the resurgence of TeamTNT on Kubernetes clusters. Researchers also discovered a role-based access control (RBAC) buster campaign to create a hidden backdoor, as well as cryptomining campaigns, including a larger execution of the previously discovered Dero campaign with additional container images, totaling hundreds of thousands of pulls.
Lack of understanding and awareness of the risks of misconfigurations
Nautilus contacted the accessible cluster owners they identified, and the responses were also troubling. Assaf Morag, senior threat intelligence analyst at Aqua Nautilus explains: “We were amazed that the initial reaction was indifference. Many said that their clusters were "just staging or testing environments." However, when we showed them the full potential of an attack from an attacker's perspective and the potentially devastating impact on their organizations, they were all shocked and immediately resolved the issue. There is a clear lack of understanding and awareness of the risks of misconfigurations and their impact.”
Secure Kubernetes clusters against misconfigurations
Nautilus recommends leveraging native Kubernetes features such as RBAC and access control policies to limit privileges and enforce policies that increase security. Security teams can also implement regular audits of Kubernetes clusters to detect anomalies and take quick remedial action. Open source tools like Aqua Trivy, Aqua Tracee, and Kube-Hunter can be helpful in scanning Kubernetes environments to detect anomalies and vulnerabilities and prevent exploits in real-time. By employing these and other remediation strategies, organizations can significantly improve their Kubernetes security and ensure their clusters are protected from common attacks. Full results and a list of risk mitigation recommendations can be found on Aqua's blog.
“In the wrong hands, access to a company’s Kubernetes cluster can mean the end of the company. Proprietary code, intellectual property, customer data, financial data, credentials and encryption keys are among the many sensitive assets at risk,” comments Assaf Morag. “As Kubernetes has gained tremendous popularity among enterprises in recent years due to its undeniable capabilities in orchestrating and managing containerized applications, enterprises are entrusting their clusters with highly sensitive information and tokens. This investigation is a wake-up call about the importance of Kubernetes security.”
More at AquaSec.com
About Aqua Security Aqua Security is the largest pure cloud native security provider. Aqua gives its customers the freedom to innovate and accelerate their digital transformation. The Aqua platform provides prevention, detection, and response automation across the application lifecycle to secure the supply chain, cloud infrastructure, and ongoing workloads—regardless of where they are deployed.