On 8th August 2023 (Tuesday), a cybersecurity organization by the name Aquasec, reports a discovery of two ongoing persistent campaign, exploiting Kubernetes, as a result of misconfigurations.
It was reported that over 60% of Kubernetes clusters that were researched upon were hacked, and an active persistence and malware deployed were uncovered.
In a blog documentation written by Micheal Katchinskiy, and Assaf Morag, it was discovered that over 350 organizations were affected by the persistent campaign.
“In our investigation, we uncovered Kubernetes clusters belonging to more than 350 organizations, opensource projects, and individuals, openly accessible and largely unprotected. At least 60% of them were breached and had an active campaign that deployed malware and backdoors.”
Although, most of these clusters were said to belong to small and medium-sized firms, it was noted that few were subset that are connected to a large business organization, and even some were connected to fortune 500 companies.
In a further statement:
“The organization we identified cut across a variety of sectors, encompassing Financial, Aerospace, Automotive, Industrial, Security, among others. Two main misconfigurations, among the things we discovered.”
The two main misconfigurations are said to be among security issues the company found in a past research conducted. A major one of the two misconfiguration that was discovered in the past, but still a dangerous issue is said to be associated, with allowing anonymous users have privilege access.
Among the two discoveries, the second is said to be a higher issue among the rest of the issues discovered, associated with ‘Kubectl’ proxy with some arguments that leady to exposing the cluster to the internet unknowingly.
ATTACK DESCRIPTION: DISCOVERING EXPOSED KUBERNETES CLUSTERS:
A summary of the attack description, on how the exposed Kubernetes clusters were discovered by aqua nautilus.
It was discovered that the hackers use online reconnaissance tool such as Shodan, Censys, and Zoomeye to discover misconfigured clusters, or hosts that are vulnerable to attacks. Other methods include using the internet in searching for exposed hosts, by leveraging botnets or other tools such as Masscan and Zgrab which have the capabilities of scanning wide range of IP addresses quickly and identifying services that are running on open ports.
Aqua nautilus reported that although the initial number discovered were over 3-million, the figure doesn’t reflect the number of clusters at risk. The researchers modified their search queries, narrowing down specifically to API’s servers that can easily be exploited by hackers.
In a 90-day period (3-months), a series of separate searches using Shodan, were carried out, and over 120-IP addresses, were identified by the researchers. A subsequent weekly search, revealed additional 20-new IP-addresses, summing the total IP addresses during the research duration, brings it to a three digit number of 350-new IP addresses discovered.
The research findings include over 350 + hosts, and over 72% of the majority of ports are Https 443 (TLS/SSL) and 6443 (utilized by ArcGIS Server) when HTTPS is enabled.
Additional findings, includes over 19% of the hosts using HTTP ports such as 8001 and 8080, and the rest discovered were using instances of 9999. The distribution of the host shows that while 85% had between 1 to 3 nodes, others hosted between 20 to 30 nodes withing the Kubernetes clusters.
The geographical distribution, shows that majority of the servers were located in North-America, with a handful of 80% running on AWS. The rest of the servers which is over 17% were associated to various Chinese cloud providers.
The API server that is used in accessing the Kubernetes secrets were accessed, hence enabling attackers to take full control over the clusters. It was also recorded that Kubernetes do not store their own secrets.
Taking a cue from the write ups on their blog:
“In many instances, the Kubernetes cluster is a part of the organization’s Software Development Life Cycle (SDLC), thereby the Kubernetes cluster needs access to Source Code Management (SCM), continuous Integration/Continuous Deployment (CI/CD), registries, and the Cloud Service Provider.”
The discovery shows what can be found in the exposed K8s clusters, which usually contain various software, services, and resources, enabling users to deploy and scale applications with relative ease.
These then houses a wide range of sensitive and important assets such as customers data, financial records, intellectual property, access credentials, secrets, configurations, container images, infrastructure credentials, encryption keys, certificates, and network or service information’s.
A list of API commands was disclosed that may yield insightful information:
- ‘/api/v1/pods’: List available pods.
- ‘/api/v1/nodes’: List available nodes.
- ‘/api/v1/configmaps’: List all configurations for the k8s cluster.
- ‘/api/v1/secrets’: List all secrets stored in the etcd.
These secrets usually comprise of information about both the internal and external registries.
Further discoveries show the ongoing attack on the clusters, by cryptominers. Aquasec stated that over the past 2-years, they have been running a Kubernetes cluster with a list of its components as honeypots, and using the data from this discovery to show discovery made on the ongoing campaigns.
A list of information discovered from their findings include campaigns totaling three in number that are aimed in mining cryptocurrency, attackers collecting secrets from exposed clusters in the wild and test what they can do with them, RBAC (Role Based Access Control) Buster, and TeamTNT campaign.
More detailed discovery about their findings can be read here.
Please do let us know in the comment section what are your thoughts about this.