Kubernetes clusters under attack in hundreds of organizations

Kubernetes (K8s) clusters belonging to more than 350 organizations, open-source projects, and individuals have been detected as openly accessible and unprotected. More than half of those have been breached and had an active campaign with deployed malware/backdoors. That’s according to new findings from Aqua Security following a three-month-long investigation by its research team, Nautilus. Most clusters were tied to small- to medium-sized organizations, but a notable subset was connected to large conglomerates and Fortune 500 companies, Aqua Security said. The exposures were a result of two misconfigurations: one that allows anonymous access with privileges and another that exposes Kubernetes clusters to the internet.

Kubernetes is an open-source orchestration system that relies on containers to automate the deployment, scaling, and management of applications, usually in a cloud environment. Over time, it has become the de facto operating system of the cloud, but it can also pose significant security risks and challenges for businesses. Redhat’s 2023 State of Kubernetes Security Report surveyed 600 global DevOps, engineering, and security professionals to uncover the most common security challenges organizations face on their cloud-native adoption journey. Of those surveyed, 38% cited security as a top concern with container and Kubernetes strategies, 67% have delayed or slowed down deployment due to Kubernetes security concerns, and 37% have experienced revenue or customer loss due to a container/Kubernetes security incident.

Researchers identified 350+ API servers that could be exploited by attackers

Over a three-month period, the researchers identified 350+ API servers which could be exploited by attackers, they wrote. Upon analyzing the newly discovered hosts, the team found that 72% had ports 443 and 6443 exposed (these are the default HTTPS ports). They also found that 19% of the hosts used HTTP ports such as 8001 and 8080, while the rest used less common ports (e.g., 9999).

“The host distribution revealed that while most (85%) had between 1 to 3 nodes, some hosted between 20 to 30 nodes within their Kubernetes clusters. The higher node count might indicate larger organizations or more significant clusters,” the researchers wrote. As for geographical distribution, most servers had geolocation affiliation to North America, with a substantial footprint of AWS (~80%). In contrast, Chinese cloud providers accounted for about 17% of the servers.

Kubernetes clusters actively under attack by cryptominers

The researchers found that approximately 60% of the clusters were actively under attack by cryptominers. The team created a honeypot environment to collect further data about these attacks to shed light on the ongoing campaigns. Among the key findings, Nautilus discovered the recently reported novel and highly aggressive Silentbob campaign, revealing the resurgence of TeamTNT targeting Kubernetes clusters. The researchers also uncovered a role-based access control (RBAC) buster campaign to create a hidden backdoor as well as cryptomining campaigns, including a more extensive execution of the previously discovered Dero Campaign with additional container images that cumulatively had hundreds of thousands of pulls.

Two common misconfigurations exploited in the wild

The research highlighted two common misconfigurations, widely done by organizations and actively exploited in the wild. The first grants anonymous access with privileges whereby an anonymous unauthenticated user only undergoes one phase of authorization. “By default, the anonymous user has no permissions, but we have seen that practitioner in the wild, and in some cases, give privileges to the anonymous user,” they wrote.

When mixing all the above, a severe misconfiguration is created. “We have seen cases in which practitioners bind the anonymous user role with other roles, often with admin roles, which puts their clusters in danger,” according to the researchers. A mixture of these misconfigurations can allow attackers to gain unauthorized access to the Kubernetes cluster, potentially compromising all applications running on it, as well as other environments.

The second issue is a misconfiguration of the `kubectl` proxy with flags that unknowingly expose the Kubernetes cluster to the internet, the researchers said. Impacted hosts included organizations across a variety of sectors such as financial services, aerospace, automotive, industrial, and security.

“When you run the same command with the following flags ‘–address=`0.0.0.0` –accept-hosts `.*`’, the proxy on your workstation will now listen and forward authorized and authenticated requests to the API server from any host that has HTTP access to the workstation. Mind, that the privileges are the same privileges that the user who ran the ‘kubectl proxy’ command has.”

Unauthorized access to Kubernetes clusters could be “business ending”

In the wrong hands, access to a company’s Kubernetes clusters could be business ending,” said Assaf Morag, lead threat intelligence analyst at Aqua Nautilus. “Proprietary code, intellectual property, customer data, financial records, access credentials, and encryption keys are among the many sensitive assets at risk.”

As Kubernetes has gained immense popularity among businesses in recent years due to its undeniable prowess in orchestrating and managing containerized applications, organizations are entrusting highly sensitive information and tokens in their clusters, Morag added. “There is clearly a gap in security knowledge and management of Kubernetes. These findings underscore the extensive damage that can result if vulnerabilities are not properly addressed.”