Researchers have discovered over 40,000 Kubernetes and Docker container hosting devices exposed to the public internet through misconfigurations.
Palo Alto Networks’ Unit 42 revealed the results of its latest research in a blog post yesterday. The discovery was made via a simple Shodan search.
Some 23,353 Kubernetes containers were found in this way, located mainly in the US, as well as Ireland, Germany, Singapore, and Australia. Even more (23,354) misconfigured Docker containers were discovered exposed to the internet, mainly in China, the US, Germany, Hong Kong and France.
“This does not necessarily mean that each of these 40,000+ platforms are vulnerable to exploits or even the leakage of sensitive data: it simply highlights that seemingly basic misconfiguration practices exist and can make organizations targets for further compromising events,” explained senior threat researcher, Nathaniel Quist.
“Seemingly simple misconfigurations within cloud services can lead to severe impacts on organizations.”
This has happened several times in the past: attackers exploited weak security configurations to steal keys and tokens for 190,000 Docker Hub accounts, while poor container security also led to a major breach of 13 million user records at Ladders.
Digging down into the exposed containers they found, the Palo Alto researchers discovered unprotected databases, in one case exposing multiple email addresses.
“Misconfigurations such as using default container names and leaving default service ports exposed to the public leave organizations vulnerable to targeted reconnaissance,” Quist concluded.
“Using the proper network policies, or firewalls can prevent internal resources from being exposed to the public internet. Additionally, investing in cloud security tools can alert organizations to risks within their current cloud infrastructure.”
Some 60% of US organizations experienced security incidents related to their use of containers over the previous year, according to research from Tripwire released in January.