Aqua News Aqua Nautilus Researchers Find Kubernetes Clusters Under Attack in Hundreds of Organizations

Malware and backdoors used in attacks affecting many Fortune 500 companies

BOSTON—August 8, 2023—Aqua Security, the pioneer in cloud native security, today announced a three-month-long investigation by its research team. Aqua Nautilus uncovered Kubernetes clusters belonging to more than 350 organizations, open-source projects, and individuals, were openly accessible and unprotected. A notable subset of clusters was connected to vast conglomerates and Fortune 500 companies. At least 60% of these clusters were breached and had an active campaign with deployed malware and backdoors. The exposures were due to two misconfigurations, emphasizing how known and unknown misconfigurations are actively exploited in the wild and can be catastrophic.

“In the wrong hands, access to a company’s Kubernetes cluster could be business ending. Proprietary code, intellectual property, customer data, financial records, access credentials and encryption keys are among the many sensitive assets at risk,” said Assaf Morag, lead threat intelligence analyst at Aqua Nautilus.  “As Kubernetes has gained immense popularity among businesses in recent years due to its undeniable prowess in orchestrating and managing containerized applications, organizations are entrusting highly sensitive information and tokens in their clusters. This research is a wakeup call about the importance of Kubernetes security.”

In the research, Nautilus highlights a well-known misconfiguration that allows anonymous access with privileges. The second less-known issue was a misconfiguration of the `kubectl` proxy with flags that unknowingly exposed the Kubernetes cluster to the internet. Impacted hosts included organizations across a variety of sectors, including financial services, aerospace, automotive, industrial, and security, among others. Most concerning were the open source projects and unsuspecting developers who could inadvertently trust and download a malicious package. If compromised, it could trigger a supply chain infection vector with implications for millions of users.

“We analyzed many real-world incidents where attackers exploited these misconfigurations to deploy malware, cryptominers, and backdoors,” said Morag. “Despite the potential risks and tools like Aqua’s Software Supply Chain Security suite, misconfigurations continue to persist across organizations of all sizes and industries. There is clearly a gap in security knowledge and management of Kubernetes. These findings underscore the extensive damage that can result if vulnerabilities are not properly addressed.”

Nautilus contacted the accessible cluster owners they identified, and the responses were also troubling.  Morag explains, “We were amazed that the initial response was indifference. Many said their clusters ‘are just staging or testing environments.’ However, once we showed them the full potential of an attack from an attacker’s perspective and the potential devastating impact on their organizations, they were all shocked and immediately resolved the issue. There is a clear lack of understanding and awareness regarding misconfiguration risks and their impact.”

Ongoing Campaigns Against Kubernetes Clusters

Nautilus found that approximately 60% of the clusters were actively under attack by cryptominers and created the first known Kubernetes honeypot environment to collect further data about these attacks to shed light on these ongoing campaigns. Among the key findings, Nautilus discovered the recently reported novel and highly aggressive Silentbob campaign, revealing the resurgence of TeamTNT targeting Kubernetes clusters.  Researchers also uncovered a role-based access control (RBAC) Buster campaign to create a hidden backdoor as well as cryptomining campaigns, including a more extensive execution of the previously discovered Dero Campaign with additional container images that cumulatively had hundreds of thousands of pulls.

Nautilus recommends leveraging native Kubernetes features, such as RBAC and admission control policies, to limit privileges and enforce policies that bolster security. Security teams can also implement regular auditing of Kubernetes clusters to identify anomalies and take quick remedial actions. The Aqua Platform as well as open source tools, such as Aqua Trivy, Aqua Tracee and Kube-Hunter, can be helpful in scanning Kubernetes environments, detecting anomalies and weaknesses, and preventing exploits in real time.

By employing these and other mitigation strategies, organizations can significantly enhance their Kubernetes security, ensuring that their clusters are safe from common attacks. For the full findings and a list of mitigation recommendations, visit Aqua’s blog.

About Aqua Nautilus

Aqua Nautilus focuses on cybersecurity research of the cloud native stack. Its mission is to uncover new vulnerabilities, threats and attacks that target containers, Kubernetes, serverless, and public cloud infrastructure — enabling new methods and tools to address them. With a global network of honeypots, Aqua Nautilus catches more than 80,000 cloud native attacks every month, specifically those unique to containers and microservices that other platforms cannot see.

About Aqua Security

Aqua Security stops cloud native attacks across the application lifecycle and is the only company with a $1M Cloud Native Protection Warranty to guarantee it. As the pioneer in cloud native security, Aqua helps customers reduce risk while building the future of their businesses. The Aqua Platform is the industry’s most integrated Cloud Native Application Protection Platform (CNAPP), protecting the application lifecycle from code to cloud and back. Founded in 2015, Aqua is headquartered

in Boston, MA and Ramat Gan, IL with Fortune 1000 customers in over 40 countries. For more information, visit https://www.aquasec.com/.