Kubernetes is an open-source container orchestration platform that automates the deployment, scaling, and management of containerized applications.
Besides this, hackers often target Kubernetes due to its widespread adoption, making it a valuable attack vector for compromising and controlling distributed systems.
Security vulnerabilities in Kubernetes configurations can lead to the following:-
Unauthorized access
Data breaches
Disruption of critical services
Cybersecurity researchers at Aqua Nautilus recently discovered exposed Kubernetes secrets in many organizations, posing a severe supply chain attack threat by granting access to sensitive SDLC environments.
Document
@import url('https://fonts.googleapis.com/css2?family=Poppins&display=swap');
@import url('https://fonts.googleapis.com/css2?family=Poppins&family=Roboto&display=swap');
*{
margin: 0; padding: 0;
text-decoration: none;
}
.container{
font-family: roboto, sans-serif;
width: 90%;
border: 1px solid lightgrey;
padding: 20px;
background: linear-gradient(2deg,#E0EAF1 100%,#BBD2E0 100%);
margin: 20px auto ;
border-radius: 40px 10px;
box-shadow: 5px 5px 5px #e2ebff;
}
.container:hover{
box-shadow: 10px 10px 5px #e2ebff;
}
.container .title{
color: #015689;
font-size: 22px;
font-weight: bolder;
}
.container .title{
text-shadow: 1px 1px 1px lightgrey;
}
.container .title:after {
width: 50px;
height: 2px;
content: ' ';
position: absolute;
background-color: #015689;
margin: 20px 8px;
}
.container h2{
line-height: 40px;
margin: 2px 0;
font-weight: bolder;
}
.container a{
color: #170d51;
}
.container p{
font-size: 18px;
line-height: 30px;
}
.container button{
padding: 15px;
background-color: #4469f5;
border-radius: 10px;
border: none;
background-color: #00456e ;
font-size: 16px;
font-weight: bold;
margin-top: 5px;
}
.container button:hover{
box-shadow: 1px 1px 15px #015689;
transition: all 0.2S linear;
}
.container button a{
color: white;
}
hr{
/* display: none; */
}
Free Webinar
Live API Attack Simulation Webinar
In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway
Register for Free
Technical analysis
SAP’s system had 95 million artifacts, and not only that, but even top blockchain firms and Fortune 500s were also there.
Kubernetes.io has a Secrets config section, and by default, it stores them in unencrypted form in etcd (API server’s underlying datastore).
There are eight Secret types, and security analysts focus on:-
dockercfg
dockerconfigjson
In this scenario, the exploitation potential varies, as the basic-auth, tls, and ssh-auth need cluster details. Meanwhile, for internal exploits, the service account token is critically valuable.
Eight built-in types of Secrets:-
Opaque
kubernetes.io/service-account-token
kubernetes.io/dockercfg
kubernetes.io/dockerconfigjson
kubernetes.io/basic-auth
kubernetes.io/ssh-auth
kubernetes.io/tls
bootstrap.kubernetes.io/token
Security analysts used GitHub API to bypass the 1,000 limit with the help of a recursive search. Besides this, the complex regex targets YAML files with dockercfg/dockerconfigjson and base64-encoded secrets.
Hundreds of cases were found by analysts in public repositories, highlighting the seriousness of the problem that affects the following entities:-
Individuals
Open-source projects
Large organizations
Researchers found 8,000 GitHub entries with .dockerconfigjson and .dockercfg. After refining the search to the base64-encoded user and password values, 438 records with potential credentials were identified.
About 46% (203 records) had valid credentials, granting access to registries for pulling and pushing. Many registries contained private container images.
Stakeholders were notified to address the exposed secrets. The dockerconfigjson field in Kubernetes stores Docker registry access credentials, enabling:-
Image pull
Image push
Exposed YAML (Source – Aquasec) Exposed registries
Exposed registries (Source – Aquasec) Use cases
While analyzing the 203 registries with valid credentials, analysts uncovered cases highlighting risks of exposed registries to organizations or open-source projects, with a focus on:-
Red Hat
Quay
Docker Hub
Here below, we have mentioned all the use cases:-
Use Case #1: SAP SE artifacts repository
Use Case #2: Blockchain companies
Use Case #3: Docker Hub accounts
Mitigations
Here below, we have mentioned all the provided mitigations:-
Remove from GitHub files containing sensitive information.
Use a Secrets Management Tool.
Use Environment Variables.
Encrypt Data at Rest.
Audit and Rotate Secrets.
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial .
The post Exposed Kubernetes Secrets Allow Hackers to Access Sensitive Environments appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform .
Top News
-
U.K. Hacker Linked to Notorious Scattered Spider Group Arrested in Spain
Law enforcement authorities have allegedly arrested a key member of the notorious cybercrime group called Scattered Spider. The individual, a...
-
Lừa đảo mạo danh ‘nở rộ’ trên không gian mạng và ngày càng tinh vi
Dù hình thức không mới song lừa đảo mạo danh hiện vẫn đang khiến nhiều người dân tại Việt Nam và trên thế giới sập bẫy, bị chiếm đoạt tài sản.
-
Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users
Hackers are targeting, attacking, and exploiting ML models. They want to hack into these systems to steal sensitive data, interrupt services, or...
-
Lừa đảo đánh cắp mã OTP tinh vi, tấn công mạng tận dụng lỗ hổng mới
Xuất hiện lừa đảo đánh cắp mã OTP tinh vi; Hacker gia tăng tốc độ tận dụng các lỗ hổng mới,... là những thông tin công nghệ trong nước nổi bật...
-
Sleepy Pickle - Kỹ thuật tấn công mới nhắm vào các mô hình học máy
Sleepy Pickle là một kỹ thuật tấn công mới lạ và bí mật nhắm vào chính mô hình ML (Machine Learning) thay vì hệ thống cơ bản. {...