SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Aqua Nautilus find Kubernetes clusters under attack
Wed, 9th Aug 2023

Aqua Security's research team, Aqua Nautilus, have found that Kubernetes clusters are under attack in hundreds of organisations.

The cloud-native security expert announced a three-month-long investigation revealing that Kubernetes clusters belonging to more than 350 organisations, open-source projects, and individuals were openly accessible and unprotected.

A notable subset of clusters were connected to vast conglomerates and Fortune 500 companies. At least 60% of these clusters were breached and had an active campaign with deployed malware and backdoors.

Nautilus attributes the exposure to two misconfigurations, emphasising how known and unknown misconfigurations are actively exploited in the wild and may be catastrophic.

Assaf Morag, Lead Threat Intelligence Analyst at Aqua Nautilus, says: "In the wrong hands, access to a company's Kubernetes cluster could be business ending." 

"Proprietary code, intellectual property, customer data, financial records, access credentials and encryption keys are among the many sensitive assets at risk." 

"As Kubernetes has gained immense popularity among businesses in recent years due to its undeniable prowess in orchestrating and managing containerised applications, organisations are entrusting highly sensitive information and tokens in their clusters."

"This research is a wake-up call about the importance of Kubernetes security," says Morag. 

In the research, Nautilus highlights a well-known misconfiguration that allows anonymous access with privileges. The second less-known issue was a misconfiguration of the `kubectl` proxy with flags that unknowingly exposed the Kubernetes cluster to the internet.

Impacted hosts included organisations across various sectors, including financial services, aerospace, automotive, industrial and security, among others.

Most concerning, Nautilus says, were the open-source projects and unsuspecting developers who could inadvertently trust and download a malicious package. If compromised, it could trigger a supply chain infection vector with implications for millions of users.

"We analysed many real-world incidents where attackers exploited these misconfigurations to deploy malware, cryptominers, and backdoors," says Morag.

"Despite the potential risks and tools like Aqua's software supply chain security suite, misconfigurations persist across organisations of all sizes and industries. Clearly, there is a gap in Kubernetes's security knowledge and management." 

"These findings underscore the extensive damage that can result if vulnerabilities are not properly addressed."

Nautilus contacted the accessible cluster owners they identified and said the responses they received were "troubling."

Morag explains: "We were amazed that the initial response was indifference. Many said their clusters 'are just staging or testing environments."

"However, once we showed them the full potential of an attack from an attacker's perspective and the potentially devastating impact on their organisations, they were all shocked and immediately resolved the issue."

"There is a clear lack of understanding and awareness regarding misconfiguration risks and their impact," says Marag. 

Nautilus found that approximately 60% of the clusters were actively under attack by cryptominers and created the first known Kubernetes honeypot environment to collect further data about these attacks to shed light on these ongoing campaigns.

Among the key findings, Nautilus discovered the recently reported novel and highly aggressive Silentbob campaign, revealing the resurgence of TeamTNT targeting Kubernetes clusters. 

Researchers also uncovered a role-based access control (RBAC) Buster campaign to create a hidden backdoor and cryptomining campaigns, including a more extensive execution of the previously discovered Dero Campaign with additional container images that cumulatively many pulls.

Nautilus recommends leveraging native Kubernetes features, such as RBAC and admission control policies, to limit privileges and enforce policies that bolster security.

Security teams can also implement regular auditing of Kubernetes clusters to identify anomalies and take quick remedial actions. The Aqua Platform and open source tools, such as Aqua Trivy, Aqua Tracee and Kube-Hunter, can help scan Kubernetes environments, detect anomalies and weaknesses, and prevent exploits in real-time.

Aqua says organisations can significantly enhance their Kubernetes security by employing these mitigation strategies, ensuring their clusters are safe from common attacks.