Aqua Nautilus researchers find Kubernetes clusters under attack in hundreds of organisations

Aqua Security, the pioneer in cloud native security, today announced a three-month-long investigation by its research team. Aqua Nautilus uncovered that Kubernetes clusters belonging to more than 350 organisations, open-source projects, and individuals, were openly accessible and unprotected.

A notable subset of clusters was connected to vast conglomerates and Fortune 500 companies. At least 60% of these clusters were breached and had an active campaign with deployed malware and backdoors.

The exposures were due to two misconfigurations, emphasising how known and unknown misconfigurations are actively exploited in the wild and can be catastrophic.

“In the wrong hands, access to a company’s Kubernetes cluster could be business ending. Proprietary code, intellectual property, customer data, financial records, access credentials and encryption keys are among the many sensitive assets at risk,” said Assaf Morag, lead threat intelligence analyst at Aqua Nautilus.

“As Kubernetes has gained immense popularity among businesses in recent years due to its undeniable prowess in orchestrating and managing containerised applications, organisations are entrusting highly sensitive information and tokens in their clusters. This research is a wakeup call about the importance of Kubernetes security.”

In the research, Nautilus highlights a well-known misconfiguration that allows anonymous access with privileges. The second less-known issue was a misconfiguration of the `kubectl` proxy with flags that unknowingly exposed the Kubernetes cluster to the internet.

Impacted hosts included organisations across a variety of sectors, including financial services, aerospace, automotive, industrial and security, among others.

Most concerning were the open source projects and unsuspecting developers who could inadvertently trust and download a malicious package. If compromised, it could trigger a supply chain infection vector with implications for millions of users.

“We analysed many real-world incidents where attackers exploited these misconfigurations to deploy malware, cryptominers, and backdoors,” said Morag.

“Despite the potential risks and tools like Aqua’s software supply chain security suite, misconfigurations continue to persist across organisations of all sizes and industries. Clearly there is a gap in security knowledge and management of Kubernetes. These findings underscore the extensive damage that can result if vulnerabilities are not properly addressed.”

Nautilus contacted the accessible cluster owners they identified, and the responses were also troubling.

Morag explains: “We were amazed that the initial response was indifference. Many said their clusters ‘are just staging or testing environments.’ However, once we showed them the full potential of an attack from an attacker’s perspective and the potential devastating impact on their organisations, they were all shocked and immediately resolved the issue.

“There is a clear lack of understanding and awareness regarding misconfiguration risks and their impact.”

Nautilus found that approximately 60% of the clusters were actively under attack by cryptominers and created the first known Kubernetes honeypot environment to collect further data about these attacks to shed light on these ongoing campaigns.

Among the key findings, Nautilus discovered the recently reported novel and highly aggressive Silentbob campaign, revealing the resurgence of TeamTNT targeting Kubernetes clusters.

Researchers also uncovered a role-based access control (RBAC) Buster campaign to create a hidden backdoor as well as cryptomining campaigns, including a more extensive execution of the previously discovered Dero Campaign with additional container images that cumulatively had hundreds of thousands of pulls.

Nautilus recommends leveraging native Kubernetes features, such as RBAC and admission control policies, to limit privileges and enforce policies that bolster security.

Security teams can also implement regular auditing of Kubernetes clusters to identify anomalies and take quick remedial actions. The Aqua Platform as well as open source tools, such as Aqua Trivy, Aqua Tracee and Kube-Hunter, can be helpful in scanning Kubernetes environments, detecting anomalies and weaknesses, and preventing exploits in real time.

By employing these and other mitigation strategies, organizations can significantly enhance their Kubernetes security, ensuring that their clusters are safe from common attacks. For the full findings and a list of mitigation recommendations, visit Aqua’s blog.