Aqua Nautilus researchers find Kubernetes clusters under attack in hundreds of o...

Wednesday, 09 August 2023 12:05

Aqua Nautilus researchers find Kubernetes clusters under attack in hundreds of organisations

By Aqua Security

Aqua Nautilus lead threat researcher Assaf Morag

GUEST RESEARCH: Aqua Security, the pioneer in cloud native security, today announced a three-month-long investigation by its research team. Aqua Nautilus uncovered that Kubernetes clusters belonging to more than 350 organisations, open-source projects, and individuals, were openly accessible and unprotected.

A notable subset of clusters was connected to vast conglomerates and Fortune 500 companies. At least 60% of these clusters were breached and had an active campaign with deployed malware and backdoors.

The exposures were due to two misconfigurations, emphasising how known and unknown misconfigurations are actively exploited in the wild and can be catastrophic.

"In the wrong hands, access to a company's Kubernetes cluster could be business ending. Proprietary code, intellectual property, customer data, financial records, access credentials and encryption keys are among the many sensitive assets at risk," said Aqua Nautilus lead threat intelligence analyst Assaf Morag.

"As Kubernetes has gained immense popularity among businesses in recent years due to its undeniable prowess in orchestrating and managing containerised applications, organisations are entrusting highly sensitive information and tokens in their clusters. This research is a wakeup call about the importance of Kubernetes security."

In the research, Nautilus highlights a well-known misconfiguration that allows anonymous access with privileges. The second less-known issue was a misconfiguration of the kubectl proxy with flags that unknowingly exposed the Kubernetes cluster to the internet.

Impacted hosts included organisations across a variety of sectors, including financial services, aerospace, automotive, industrial and security, among others.

Most concerning were the open source projects and unsuspecting developers who could inadvertently trust and download a malicious package. If compromised, it could trigger a supply chain infection vector with implications for millions of users.

"We analysed many real-world incidents where attackers exploited these misconfigurations to deploy malware, cryptominers, and backdoors," said Morag.

"Despite the potential risks and tools like Aqua's software supply chain security suite, misconfigurations continue to persist across organisations of all sizes and industries. Clearly there is a gap in security knowledge and management of Kubernetes. These findings underscore the extensive damage that can result if vulnerabilities are not properly addressed."

Nautilus contacted the accessible cluster owners they identified, and the responses were also troubling.

Morag explains: "We were amazed that the initial response was indifference. Many said their clusters 'are just staging or testing environments.' However, once we showed them the full potential of an attack from an attacker's perspective and the potential devastating impact on their organisations, they were all shocked and immediately resolved the issue.

"There is a clear lack of understanding and awareness regarding misconfiguration risks and their impact."

Ongoing campaigns

Nautilus found that approximately 60% of the clusters were actively under attack by cryptominers and created the first known Kubernetes honeypot environment to collect further data about these attacks to shed light on these ongoing campaigns.

Among the key findings, Nautilus discovered the recently reported novel and highly aggressive Silentbob campaign, revealing the resurgence of TeamTNT targeting Kubernetes clusters.

Researchers also uncovered a role-based access control (RBAC) Buster campaign to create a hidden backdoor as well as cryptomining campaigns, including a more extensive execution of the previously discovered Dero Campaign with additional container images that cumulatively had hundreds of thousands of pulls.

Nautilus recommends leveraging native Kubernetes features, such as RBAC and admission control policies, to limit privileges and enforce policies that bolster security.

Security teams can also implement regular auditing of Kubernetes clusters to identify anomalies and take quick remedial actions. The Aqua Platform as well as open source tools, such as Aqua Trivy, Aqua Tracee and Kube-Hunter, can be helpful in scanning Kubernetes environments, detecting anomalies and weaknesses, and preventing exploits in real time.

By employing these and other mitigation strategies, organisations can significantly enhance their Kubernetes security, ensuring that their clusters are safe from common attacks. For the full findings and a list of mitigation recommendations, visit Aqua's blog.

About Aqua Nautilus

Aqua Nautilus focuses on cybersecurity research of the cloud native stack. Its mission is to uncover new vulnerabilities, threats and attacks that target containers, Kubernetes, serverless, and public cloud infrastructure — enabling new methods and tools to address them. With a global network of honeypots, Aqua Nautilus catches more than 80,000 cloud native attacks every month, specifically those unique to containers and microservices that other platforms cannot see.

About Aqua Security

Aqua Security stops cloud native attacks across the application lifecycle and is the only company with a $1M Cloud Native Protection Warranty to guarantee it. As the pioneer in cloud native security, Aqua helps customers reduce risk while building the future of their businesses. The Aqua Platform is the industry's most integrated Cloud Native Application Protection Platform (CNAPP), protecting the application lifecycle from code to cloud and back. Founded in 2015, Aqua is headquartered

in Boston, MA and Ramat Gan, IL with Fortune 1000 customers in over 40 countries. For more information, visit https://www.aquasec.com/.

Read 200 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

GARTNER MARKET GUIDE FOR NDR 2022

You probably know that we are big believers in Network Detection and Response (NDR).

Did you realise that Gartner also recommends that security teams prioritise NDR solutions to enhance their detection and response?

Picking the right NDR for your team and process can sometimes be the biggest challenge.

If you want to try out a Network Detection and Response tool, why not start with the best?

Vectra Network Detection and Response is the industry's most advanced AI-driven attack defence for identifying and stopping malicious tactics in your network without noise or the need for decryption.

Download the 2022 Gartner Market Guide for Network Detection and Response (NDR) for recommendations on how Network Detection and Response solutions can expand deeper into existing on-premises networks, and new cloud environments.

DOWNLOAD NOW!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!