Thousands of misconfigured artifact repositories and container image registries have been discovered by researchers, exposing organizations to potentially serious software supply chain attacks, according to Aqua Nautilus.
The security vendor found that over 250 million software artifacts and more than 65,000 container images had been exposed in this way, putting at risk some of the world’s largest companies, including several Fortune 500 firms.
Often artifact management systems and container registries are deliberately connected to the internet and allow anonymous users to connect so that global stakeholders can access open source software. Yet that’s not always the case.
The report shed light on instances where “restricted environments are accidentally shared with anonymous users” and other examples where teams “accidentally publish sensitive information to public areas.”
Read more on software supply chain risks: Software Supply Chain Attacks Soar 742% in Three Years.
The misconfigurations found by the Aqua Nautilus team included mistakenly connecting registries to the internet, exposing secrets to public registries, using default passwords and granting excessive privileges to users. It also found instances of private container image registries that had been misconfigured to allow anonymous access, or even ones that had it built in as a feature.
“We found 57 registries with critical vulnerabilities such as default admin passwords, out of which 15 registries allowed admin access with the default password,” the report noted. “We detected more than 2100 artifact registries with upload permissions, which may allow an attacker to poison the registry with malicious code.”
Small, medium and large organizations worldwide were exposed in this way, including 10 Fortune 500 firms – five of which had registries containing highly sensitive information that was exposed or allowed anonymous access. The researchers also found two cybersecurity companies with exposed secrets in their registries.
Aqua Nautilus recommended firms mitigate the risks to their cloud-native environments by:
- Securing repositories with network controls like VPNs or firewalls
- Adding strong authentication and authorization such as strong passwords and two-factor authentication
- Regularly rotating keys, credentials and secrets
- Implementing least privilege access controls, restricting access to specific repositories and artifacts as needed
- Regularly scanning for sensitive data, including known vulnerabilities and secrets, and conducting regular security assessments of repositories
Worryingly, while some vendors contacted by the researchers were keen to engage and take corrective action, other “major corporations” ignored their warnings, the report claimed.