381,000-plus Kubernetes API servers 'exposed to internet'

Firewall isn't a made-up word from the Hackers movie, people

A large number of servers running the Kubernetes API have been left exposed to the internet, which is not great: they're potentially vulnerable to abuse.

Nonprofit security organization The Shadowserver Foundation recently scanned 454,729 systems hosting the popular open-source platform for managing and orchestrating containers, finding that more than 381,645 – or about 84 percent – are accessible via the internet to varying degrees thus providing a cracked door into a corporate network.

"While this does not mean that these instances are fully open or vulnerable to an attack, it is likely that this level of access was not intended and these instances are an unnecessarily exposed attack surface," Shadowserver's team stressed in a write-up. "They also allow for information leakage on version and build."

That said, enterprises shouldn't downplay the risk that such exposed Kubernetes API servers represent, according to Erfan Shadabi, head of market for data security firm comforte AG.

"Kubernetes growth is unstoppable, and while it provides massive benefits to enterprises for agile app delivery, there are a few characteristics that make it an ideal attack target for exploitation," Shadabi told The Register. "For instance, as a result of having many containers, Kubernetes has a large attack surface that could be exploited if not pre-emptively secured, so it is not a surprise that The Shadowserver Foundation's scan found so many vulnerabilities."

What's most concerning is that the data security capabilities built into Kubernetes meet the bare minimum standards, with protection for data at rest and data in motion, but "no persistent protection of data itself, for example, using industry accepted techniques like field-level tokenization," Shadabi said.

"If an ecosystem is compromised, it's only a matter of time before the sensitive data being processed by it succumbs to a more insidious attack. Organizations that use containers and Kubernetes in their production environments must take Kubernetes security very seriously."

Kubernetes was developed by Google almost a decade ago and is now the most popular tool for managing containers both on premises and in the public cloud, with such vendors as Red Hat (OpenShift), VMware (Tanzu), and SUSE (Rancher) selling commercial versions. Almost 50 percent of organizations worldwide have adopted Kubernetes in some form as of 2021, according to market research firm Statista.

Shadowserver scanned for accessible Kubernetes API instances that responded with 200 OK, listing in its report almost two dozen instances that came back with that response. The group also disclosed the five most-accessible platforms.

The researchers also noted that almost 53 percent of the accessible instances – 201,348 Kubernetes API servers – were located in the United States.

Open-source systems are an increasingly popular target for threat actors. In the era of cloud computing, the attack surface around Linux is only expanding.

Cybersecurity vendor Trend Micro, in a report last year, noted that of the cloud workloads that its Cloud One product protects, 61 percent were Linux systems, with 39 percent running Windows. The cyberthreats range from ransomware and trojans to coinminers and web shells.

"Given how deeply Linux is rooted in daily life, especially as an integral part of cloud infrastructure and the internet of things (IoT), the security of Linux and Linux workloads must be treated at par with that of Windows and other operating systems," the Trend Micro researchers wrote.

The threat to opens-source systems was highlighted late last year, when vulnerabilities in the ubiquitous Apache Log4j logging tool surfaced. The flaws were easy to exploit and Log4j was so widely used that it was difficult for many enterprises to find all the instances within their IT environments to patch them. Cybercriminals moved quickly to exploit the flaws – dubbed Log4Shell – and continue to use them as access points into systems.

That was illustrated in a report last week that found the Russia-linked Wizard Spider – the threat group behind such ransomware as Conti and Ryuk – was leveraging Log4Shell in some of its campaigns.

Shadowserver recommended that enterprises using a Kubernetes API server that is accessible implement authorization for access or block it at the firewall to reduce the attack surface. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2022