Container security, DevSecOps

Researchers find active campaigns exploiting two Kubernetes misconfigurations

Kubernetes official site and logo on screen

Aqua Security on Tuesday reported that at least 60% of the Kubernetes clusters they researched were breached and had an active campaign with deployed malware and backdoors.

In a release Aug. 8, Aqua Nautilus researchers explained that the exposures were caused by two misconfigurations, which emphasized how known and unknown misconfigurations are actively exploited in the wild and can have harmful consequences to corporate networks.

The first of the two misconfigurations Nautilus highlights was a well-known misconfiguration that allows anonymous access with privileges. The second, lesser-known issue was a misconfiguration of the “kubectl” proxy with flags that the researchers said “unknowingly” exposed the Kubernetes cluster to the internet.

Impacted hosts included organizations across many sectors, including financial services, aerospace, automotive and industrial. A major concern, the researchers said, were the open-source projects and unsuspecting developers who could inadvertently trust and download malicious packages that could trigger a supply chain infection.

“In the wrong hands, access to a company’s Kubernetes cluster could be business ending,” said Assaf Morag, lead threat intelligence analyst at Aqua Nautilus. “Proprietary code, intellectual property, customer data, financial records, access credential and encryption keys are among many of the sensitive assets at risk. This research is a wakeup call about the importance of Kubernetes security.” 

There are a lot of “gotcha” moments here, from poor cloud security management, in general, to a misunderstanding of where security teams really need to manage the controls, said Andrew Barratt, vice president at Coalfire. 

“Kubernetes at its core is a phenomenal management orchestration tool for containerized workloads,” said Barratt. “However, the pipelines used to manage Kubernetes infrastructure are often left with default credentials in configuration files, which are sometimes left in unprotected GitHub repositories, and in general, the platform gets used in highly agile work environments. If security isn’t baked into those teams, it can sometimes be an afterthought, creating scenarios where you can have very rapid vulnerable releases that can operate at huge scale.”

Eli Nussbaum, managing director at the Conversant Group, added that cloud infrastructure — and especially containers — are built for easy deployment. In a world where development and security are still often in silos, rather than following a DevSecOps model, where security gets embedded into the process, Nussbaum said the technology often does not enforce security, compliance, or adherence to internal mandates.

“Organizations should block all technologies and vendors until they can be properly vetted and the organization's existing procedures and technical controls applied or supplemented to support the new tools,” said Nussbaum. “We see this time and time again as new tools become available. This is another example of IT personnel jumping to use a tool that solves problem A, while creating unintended consequence B. This is avoidable, but it requires forethought and evaluation of the risk, not just solving for the current needs.” 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.