More than 350 organizations, open-source projects, and individuals have had their Kubernetes (K8s) clusters breached and compromised, according to Aqua Security’s recent findings. The research team, Nautilus, conducted a three-month-long investigation, which revealed that over half of the exposed clusters had an active campaign with deployed malware and backdoors. While the majority of the affected clusters belonged to small- to medium-sized organizations, a notable subset was associated with large conglomerates and Fortune 500 companies.
The vulnerabilities that led to these breaches were primarily attributed to two misconfigurations. The first misconfiguration allowed anonymous access with privileges, meaning that unauthenticated users could gain unauthorized access to sensitive resources within the clusters. The second misconfiguration involved exposing the Kubernetes clusters directly to the internet, removing any protective barriers and making them susceptible to attacks.
Kubernetes is an open-source orchestration system used for automating the deployment, scaling, and management of applications in cloud environments. Despite its popularity and widespread adoption as the de facto operating system of the cloud, Kubernetes presents significant security risks and challenges for organizations. Redhat’s 2023 State of Kubernetes Security Report highlighted that 38% of surveyed professionals considered security as a top concern when implementing container and Kubernetes strategies. Furthermore, 67% reported delays or slowed deployment due to security concerns, and 37% experienced revenue or customer loss as a result of security incidents related to containers and Kubernetes.
During their investigation, Aqua Security’s researchers identified over 350 API servers that were vulnerable to exploitation by attackers. These servers had ports 443 and 6443, which are the default HTTPS ports, exposed in 72% of the cases. Additionally, 19% of the servers used HTTP ports such as 8001 and 8080, while others used less common ports like 9999. Geographically, most of the exposed servers were affiliated with North America, with a significant share hosted on AWS (Amazon Web Services). Chinese cloud providers accounted for approximately 17% of the vulnerable servers.
Regarding the nature of the attacks on Kubernetes clusters, the researchers found that around 60% of the clusters were actively targeted by cryptominers. To gain further insight into these attacks, the Nautilus team set up a honeypot environment to collect data. Their investigation revealed the resurgence of the Silentbob campaign, previously reported as a highly aggressive attack targeting multiple cloud technologies. TeamTNT, the group behind Silentbob, was found to be actively targeting Kubernetes clusters. The researchers also uncovered a campaign focused on role-based access control (RBAC) manipulation to create hidden backdoors. Moreover, various cryptomining campaigns, including an expanded version of the previously identified Dero Campaign, were detected. These campaigns involved the use of container images that collectively had hundreds of thousands of pulls.
The investigation emphasized two common misconfigurations that organizations frequently make and are actively exploited in the wild. The first misconfiguration involved granting anonymous access with privileges, enabling unauthorized users to gain unexpected permissions. The researchers noted that, in some instances, practitioners went against default settings and assigned privileges to anonymous users. The second misconfiguration, exposing Kubernetes clusters to the internet, created a vulnerable entry point for attackers.
In conclusion, Aqua Security’s investigation has unveiled the alarming number of exposed and breached Kubernetes clusters. The findings highlight the critical importance of properly configuring and securing Kubernetes environments to mitigate security risks. Organizations must prioritize implementing recommended security measures to protect their clusters from unauthorized access, malware infections, and cryptomining attacks. By addressing these vulnerabilities, organizations can ensure the safe and secure operation of their Kubernetes deployments.