Cybersecurity researchers have found more than 900,000 instances of Kubernetes consoles exposed on the internet.
Cyble researchers detected misconfigured Kubernetes instances that could expose hundreds of thousands of organizations. The researchers found a number of indicators of exposure in the open source container orchestration platform:
- Kubernetes Kube K8
- Favicon:2130463260, -1203021870
The threat-hunting exercise led to some general findings on risk exposure:
- The United States has the highest exposure count by far (65%), followed by China (14%) and Germany (9%)
- The top ports in use are 443, 10250, and 6443
Also read: Top Container Security Solutions for 2022
Kubernetes Security Risks
Kubernetes is a very popular container orchestration system. The name comes from the Greek word for “helmsman.” The term “K8s” or “K-eights” is also used to refer to this technology.
Many organizations manage their applications with Kubernetes using self-contained units called “pods,” which share common resources with other units without being aware of each other. For example, “npm start” or “go run” processes can be managed in pods and share some CPU and RAM.
K8s is helpful to deploy, manage, and scale containers, which often consist of micro-services and their configuration files. When the workload increases or decreases, Kubernetes can handle the situation automatically.
As a result, an important security aspect of Kubernetes is access control. Any misconfiguration can lead to unwanted disclosures and attackers could even use them to escape containers and escalate privileges. Besides, Kubernetes provides APIs, CLI commands, and user interfaces that could be attractive for hackers.
Cyble explained its scan “does not necessarily imply that all exposed instances are vulnerable to attacks or will lead to the loss of sensitive data,” but “emphasizes the existence of seemingly simple misconfiguration practices that might make companies lucrative targets for TAs in the future.”
How to Protect Kubernetes
While you cannot anticipate everything, there are good practices for Kubernetes pods security:
- Allow non-root users only
- Run regular vulnerability scans against containers (misconfigurations will be spotted)
- Use Kubernetes secrets instead of hard coded credentials in configuration files
- Disable anonymous login
- Harden authentication, especially when it’s not enabled by default
- Update and apply all security patches
- Remove useless or no longer used components
Also, be extra-vigilant with the error codes returned by Kubernetes APIs. Hackers will likely use them to determine whether they can attempt further attacks or not. For example, if the Kubelet API, which handles communications between the Kubernetes control plane and the nodes, accepts unauthenticated requests but returns a 403 error, hackers will probably stop attacking it.
However, if it returns a 401, they might try other exploits, as such an error shows a Kubernetes cluster is functioning in the environment.
Cyble’s results revealed “a small subset of 799 Kubernetes instances that return a status code 200, which are completely exposed to external attackers. In these cases, threat actors can access the nodes on the Kubernetes Dashboard without a password, access all secrets, perform actions, etc.”
Read next: Container & Kubernetes Security Best Practices