More than 380,000 Kubernetes API servers allow access to the public internet in some way, making Kuvernetes, a popular open-source container used to manage cloud deployments, into a broad attack domain that is easily exploited by threat actors, researchers have discovered. attack target.
According to a blog post this week, the Shadowserver Foundation discovered the issue while scanning the internet for Kubernetes API servers. Currently, more than 450,000 servers are affected.
ShadowServer scans ports 443 and 6443 of the IPv4 space every day, looking for an IP address that responds with 'HTTP 200 OK status'. If a response is received, the request has been successful.
Of the 454,729 instances of the Kubernetes API discovered by Shadowserver, 381,645 responded with "200 OK," the researchers said. As a result, open API instances accounted for nearly 84% of all API instances scanned by Shadowserver.
In addition, the majority of 201,348 Kubernetes servers are accessible, with nearly 53% located in the United States.
While the results of the scan did not mean the servers were fully open or vulnerable, it did indicate "an exposed attack surface" in all of them, the blog said.
The researchers noted that this exposure could allow information to leak across various versions and builds.
Cloud facilities are under attack
It is very disturbing that attackers have increasingly targeted Kubernetes cloud clusters.
But in fact, Erfan Shadabi, a cybersecurity expert at data security firm comforte AG, said in an email to the media that he was not surprised that Shadowserver scans found so many Kubernetes servers exposed on the public internet:
"Kubernetes provides a lot of convenience for agile application delivery in the enterprise, and there are some characteristics that make it an ideal attack target, for example, due to having many containers, Kubernetes has a large attack surface, which can be very difficult if not protected up front. may be exploited by attackers."
Security of Open Source Facilities
The finding begs the long-standing question of how to build the security of open source systems that have become ubiquitous in the internet as part of the modern internet and cloud infrastructure. As a result, an attack on them has become an attack on the myriad of systems they are connected to.
The problem was noticed last year, six months after researchers discovered a Log4Shell vulnerability in the ubiquitous Java logging library Apache Log4j.
The vulnerability is easily exploitable and allows an unauthenticated attacker to remotely execute code (RCE) and take over the server completely. A recent report found that despite the availability of patches for Log4Shell, millions of Java applications still have a large number of vulnerabilities.
According to Shadabi, Kubernetes suffers from an Achilles heel: the data security features built into the platform can only protect data at a minimum, and the data itself is not continuously protected, such as using industry-accepted techniques such as field-level tokenization. So, if an ecosystem is compromised, sooner or later the sensitive data it handles will be subject to more stealthy attacks.
Shadabi's advice to organizations using containers and Kubernetes in production is to take Kubernetes security as seriously and comprehensively as they do IT infrastructure.
Finally, the Shadowserver Foundation recommends that if administrators discover that Kubernetes instances in their environment can access the Internet, they should consider granting access or blocking at the firewall level to reduce the exposed attack surface.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用
。你还可以使用@
来通知其他用户。