Friday, November 15, 2024
HomeCyber Security NewsExposed Kubernetes Secrets Allow Hackers to Access Sensitive Environments

Exposed Kubernetes Secrets Allow Hackers to Access Sensitive Environments

Published on

Kubernetes is an open-source container orchestration platform that automates the deployment, scaling, and management of containerized applications. 

Besides this, hackers often target Kubernetes due to its widespread adoption, making it a valuable attack vector for compromising and controlling distributed systems. 

Security vulnerabilities in Kubernetes configurations can lead to the following:-

- Advertisement - SIEM as a Service
  • Unauthorized access
  • Data breaches
  • Disruption of critical services

Cybersecurity researchers at Aqua Nautilus recently discovered exposed Kubernetes secrets in many organizations, posing a severe supply chain attack threat by granting access to sensitive SDLC environments.

Document
Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Technical analysis

SAP’s system had 95 million artifacts, and not only that, but even top blockchain firms and Fortune 500s were also there.

Kubernetes.io has a Secrets config section, and by default, it stores them in unencrypted form in etcd (API server’s underlying datastore).

There are eight Secret types, and security analysts focus on:- 

  • dockercfg 
  • dockerconfigjson

In this scenario, the exploitation potential varies, as the basic-auth, tls, and ssh-auth need cluster details. Meanwhile, for internal exploits, the service account token is critically valuable.

Eight built-in types of Secrets:-

  • Opaque
  • kubernetes.io/service-account-token
  • kubernetes.io/dockercfg
  • kubernetes.io/dockerconfigjson
  • kubernetes.io/basic-auth
  • kubernetes.io/ssh-auth
  • kubernetes.io/tls
  • bootstrap.kubernetes.io/token

Security analysts used GitHub API to bypass the 1,000 limit with the help of a recursive search. Besides this, the complex regex targets YAML files with dockercfg/dockerconfigjson and base64-encoded secrets. 

Hundreds of cases were found by analysts in public repositories, highlighting the seriousness of the problem that affects the following entities:-

  • Individuals
  • Open-source projects
  • Large organizations

Researchers found 8,000 GitHub entries with .dockerconfigjson and .dockercfg. After refining the search to the base64-encoded user and password values, 438 records with potential credentials were identified. 

About 46% (203 records) had valid credentials, granting access to registries for pulling and pushing. Many registries contained private container images. 

Stakeholders were notified to address the exposed secrets. The dockerconfigjson field in Kubernetes stores Docker registry access credentials, enabling:- 

  • Image pull 
  • Image push
Exposed YAML (Source - Aquasec)
Exposed YAML (Source – Aquasec)

Exposed registries

Exposed registries (Source - Aquasec)
Exposed registries (Source – Aquasec)

Use cases

While analyzing the 203 registries with valid credentials, analysts uncovered cases highlighting risks of exposed registries to organizations or open-source projects, with a focus on:-

  • Red Hat
  • Quay
  • Docker Hub

Here below, we have mentioned all the use cases:-

  • Use Case #1: SAP SE artifacts repository
  • Use Case #2: Blockchain companies
  • Use Case #3: Docker Hub accounts

Mitigations

Here below, we have mentioned all the provided mitigations:-

  • Remove from GitHub files containing sensitive information.
  • Use a Secrets Management Tool.
  • Use Environment Variables.
  • Encrypt Data at Rest.
  • Audit and Rotate Secrets.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...