Over 900,000 Kubernetes (K8s) have been discovered to be vulnerable to malicious scans and/or data-exposing cyberattacks, according to a report from cybersecurity firm Cyble.
Even though not all exposed instances are vulnerable to attacks or the loss of sensitive data, these misconfiguration practises may make companies attractive targets for TAs in the future, according to researchers.
Open-source Kubernetes is a system designed to automate containerized application deployment, scaling and administration.
There is no downtime in a production environment because K8s uses a combination of physical and virtual machines to create a uniform API.
For all these reasons, Kubernetes is a useful tool, but when it isn't set up properly, it presents a risk of data exfiltration and other hacking attempts.
The Tesla cloud was breached in March 2018 due to improperly configured Kubernetes clusters, and in June 2020, cryptocurrency mining malware was spread across multiple clusters using a K8s toolkit that was infiltrated by hackers.
The open-source continuous delivery platform Argo CD has recently been found to have a vulnerability that allows attackers to access and exfiltrate sensitive information such as passwords and API keys.
Cyble researchers wrote in an advisory that “online scanners have made it easy for security researchers to find the exposure of assets.
As a result of the exposed Kubernetes instance for a particular organisation, malicious hackers can also conduct an investigation, increasing the risk of attack.”
After China and Germany, the Cyble analysis found that the United States had the most exposure.
Due to default settings, many of the clusters spotted by cybersecurity researchers were misconfigured.
Kubernetes Dashboard is vulnerable to data leakage because it is not password protected and the default service ports are open to the public. This puts businesses at risk.”
Cyble advised companies to keep Kubernetes up to date and remove debugging tools from production containers in order to avoid misconfigurations.
Additional security measures should be taken to ensure that Kubernetes API access is restricted to those who need it, and that critical assets and ports are protected to the greatest extent possible.
You can read Cyble's full advisory here for more recommendations and technical details.
