Kubernetes misconfiguration unknowingly exposed data of Fortune 500 firm, hundreds more

An unnamed Fortune 500 company with a “multi-billion dollar” revenue stream could have been exposed to cyber attacks due to misconfigured Kubernetes clusters, according to new research. 

Analysis of Kubernetes flaws by Aqua Nautilus found that more than 350 organizations and open source projects worldwide were left vulnerable for several months due to a series of common misconfigurations. 

One misconfiguration uncovered by researchers would have allowed threat actors anonymous access to Kubernetes clusters with privileges. 

The second - and “less well-known” - issue highlighted in the study was a misconfiguration of the ‘kubectl’ proxy that “unknowingly exposed” Kubernetes clusters to the internet, leaving organizations at risk. 

Researchers said that at least 60% of clusters affected by these misconfigurations were breached and had an “active campaign with deployed malware and backdoors”. 

“The exposures were due to two misconfigurations, emphasizing how known and unknown misconfigurations are actively exploited in the wild and can be catastrophic,” researchers said. 

Among the vulnerable organizations identified by Aqua, one was a “small analytics” firm that, had it been breached, likely wouldn’t have made headlines. 

However, the firm in question had close ties to a “top-tier” Fortune 500 company, researchers revealed. 

Given that this company was an analytics services provider, the exposed Kubernetes cluster was found to contain a high volume of highly sensitive information hosted on various databases within the cluster. 

“Since the cluster was exposed, this data was exposed, and the exposure of this data could significantly impact the business operations of this large enterprise,” researchers said. 

This example underlines the potential knock-on effects that common Kubernetes misconfigurations could have for businesses spanning a range of industries.

A high volume of open source projects was found to be at risk during the investigation, which could have inadvertently triggered a supply chain incident that would affect millions of users. 

“In the wrong hands, access to a company’s Kubernetes cluster could be business ending,” said Assaf Morag, lead threat intelligence analyst at Aqua Nautilus. 

“Proprietary code, intellectual property, customer data, financial records, access credentials, and encryption keys are among the many sensitive assets at risk,” said Assaf Morag, lead threat intelligence analyst at Aqua Nautilus.

Morag said the growing popularity of Kubernetes in recent years has offered businesses “undeniable prowess” in managing containerized applications, but this study shows many are entrusting highly sensitive information in their clusters without a detailed understanding of potential risks and management techniques. 

“Misconfigurations continue to persist across organizations of all sizes and industries,” he said. 

“There is clearly a gap in security knowledge and management of Kubernetes. These findings underscore the extensive damage that can result if vulnerabilities are not properly addressed.”

The adoption of containers was also highlighted as one of the key risk factors affecting the security of cloud environments by Google Cloud last week.

Its August Threat Horizons report found that telecoms companies are facing a marked increase in attacks on their cloud environments, though much of these were DDoS in nature.

Additionally, Google Cloud also noted that user-driven errors were blamed for most of the successful compromises of cloud environments in the first quarter of the year.

Misconfigurations accounted for 19% of all incidents in the company’s telemetry. As well as opening access to Kubernetes clusters, misconfigurations elsewhere in the cloud were also often linked to the exposure of APIs and UI sensitivity too.