Saturday, June 15, 2024

Exposed Kubernetes Secrets Allow Hackers to Access Sensitive Environments

Kubernetes is an open-source container orchestration platform that automates the deployment, scaling, and management of containerized applications. 

Besides this, hackers often target Kubernetes due to its widespread adoption, making it a valuable attack vector for compromising and controlling distributed systems. 

Security vulnerabilities in Kubernetes configurations can lead to the following:-

  • Unauthorized access
  • Data breaches
  • Disruption of critical services

Cybersecurity researchers at Aqua Nautilus recently discovered exposed Kubernetes secrets in many organizations, posing a severe supply chain attack threat by granting access to sensitive SDLC environments.

Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Technical analysis

SAP’s system had 95 million artifacts, and not only that, but even top blockchain firms and Fortune 500s were also there. has a Secrets config section, and by default, it stores them in unencrypted form in etcd (API server’s underlying datastore).

There are eight Secret types, and security analysts focus on:- 

  • dockercfg 
  • dockerconfigjson

In this scenario, the exploitation potential varies, as the basic-auth, tls, and ssh-auth need cluster details. Meanwhile, for internal exploits, the service account token is critically valuable.

Eight built-in types of Secrets:-

  • Opaque

Security analysts used GitHub API to bypass the 1,000 limit with the help of a recursive search. Besides this, the complex regex targets YAML files with dockercfg/dockerconfigjson and base64-encoded secrets. 

Hundreds of cases were found by analysts in public repositories, highlighting the seriousness of the problem that affects the following entities:-

  • Individuals
  • Open-source projects
  • Large organizations

Researchers found 8,000 GitHub entries with .dockerconfigjson and .dockercfg. After refining the search to the base64-encoded user and password values, 438 records with potential credentials were identified. 

About 46% (203 records) had valid credentials, granting access to registries for pulling and pushing. Many registries contained private container images. 

Stakeholders were notified to address the exposed secrets. The dockerconfigjson field in Kubernetes stores Docker registry access credentials, enabling:- 

  • Image pull 
  • Image push
Exposed YAML (Source - Aquasec)
Exposed YAML (Source – Aquasec)

Exposed registries

Exposed registries (Source - Aquasec)
Exposed registries (Source – Aquasec)

Use cases

While analyzing the 203 registries with valid credentials, analysts uncovered cases highlighting risks of exposed registries to organizations or open-source projects, with a focus on:-

  • Red Hat
  • Quay
  • Docker Hub

Here below, we have mentioned all the use cases:-

  • Use Case #1: SAP SE artifacts repository
  • Use Case #2: Blockchain companies
  • Use Case #3: Docker Hub accounts


Here below, we have mentioned all the provided mitigations:-

  • Remove from GitHub files containing sensitive information.
  • Use a Secrets Management Tool.
  • Use Environment Variables.
  • Encrypt Data at Rest.
  • Audit and Rotate Secrets.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles