Cloud native specialist Aqua Security has announced that its security research team, Aqua Nautilus, has discovered 250 million artifacts and 65,600 container images exposed via thousands of misconfigured container images, Red Hat Quay registries, JFrog Artifactory and Sonatype Nexus artifact registries.
Many contained highly confidential and sensitive proprietary code and secrets, leaving five Fortune 500 and thousands of other companies at risk.
Registries and artifact management systems are crucial elements within the software supply chain, making them a prime target for threat actors. While many organisations open their container and artifact registries to the outside world deliberately and by design, they are sometimes unaware of, or unable to control sensitive information and secrets that leak into these registries.
When attackers are able to gain access, they can potentially exploit the entire software development life cycle (SDLC) toolchain and its stored artifacts.
Aqua’s research found that in some cases organisations have failed to secure these highly critical environments properly and in other cases sensitive information leaked into open source spaces, leaving these environments exposed to the internet and vulnerable to exploitation, which can lead to serious and damaging attacks.
“We began our research with the goal to better understand misconfigurations in registries, the companies behind these misconfigurations and how a skilled attacker would take advantage of exposed and misconfigured registries,” said Assaf Morag, lead threat researcher for Aqua Nautilus.
“The findings were both surprising and highly concerning. Given the magnitude of the risks we uncovered, we set out to find and alert the impacted companies.”
The findings included:
# Nautilus found sensitive keys including secrets, credentials or tokens, on 1,400 distinct hosts, and private sensitive addresses of end points, such as Redis, MongoDB, PostgreSQL, or MySQL, on 156 hosts.
# Researchers also found 57 registries with critical misconfiguration, and 15 of these allowed admin access with the default password.
# Nautilus detected more than 2,100 artifact registries with upload permissions, which may allow an attacker to poison the registry with malicious code. In some cases, anonymous user access allowed a potential attacker to gain sensitive information, such as secrets, keys, and passwords, that could be used to launch a severe software supply chain attack or poisoning of the SDLC.
# Companies impacted ranged from small to large organisations — including two large cyber security vendors —all over the world.
IBM, one of the affected Fortune 500 companies, had an internal container registry exposed to the internet and was quick to close internet access to these environments and mitigate all the risks after Nautilus disclosed their findings. Other potentially impacted organisations included Alibaba, Siemens and Cisco.
Nautilus discovered that many organisations did not have a responsible disclosure program in place. These programs are crucial tools that allow security researchers to report potential vulnerabilities in a structured manner so that the organisation can quickly resolve the issue before being compromised by malicious actors.
Nautilus found that organisations with existing responsible disclosure programs were able to fix a misconfiguration in less than a week. The process was more difficult and time-consuming for those without such a program in place.
“These findings by Aqua Nautilus highlight the need for increased awareness regarding software supply chain security best practices among developers and application security teams,” notes Katie Norton, Senior Research Analyst, DevOps & DevSecOps at IDC.
“The explosion in code and use of open source, coupled with DevOps practices in rapid application development and delivery has left organisations behind and needing to catch up in terms of governance, security controls, and education.”
On the back of these findings, Nautilus researchers recommend security teams take the following actions immediately:
# Check if any registries or artifact management systems are exposed to the internet.
# If the registry is connected to the internet by design, check that the version isn’t critically vulnerable and that you are not using the default password. Then verify that the passwords are strong enough and regularly rotate passwords.
# In addition, verify that the anonymous user is disabled. If the anonymous user is purposely enabled, verify minimal privileges, and regularly scan your public artifacts in your repository to verify they do not contain any secrets or sensitive information.
# Rotate any secrets that may have been exposed.
“Our findings illustrate how easy it is for an attacker to compromise an organisation’s SDLC as well as underscore the serious threat of overlooking simple configuration errors,” said Morag.
“Moving forward, security teams should ensure they have responsible disclosure programs in place and invest more in detecting and mitigating threats to the software supply chain.”