BOSTON—April 24, 2023—Aqua Security, the pioneer in cloud native security, today announced that its security research team, Aqua Nautilus, discovered 250 million artifacts and 65,600 container images that were exposed via thousands of misconfigured container images, Red Hat Quay registries, JFrog Artifactory and Sonatype Nexus artifact registries. Many contained highly confidential and sensitive proprietary code and secrets, leaving five Fortune 500 and thousands of other companies at risk.
Registries and artifact management systems are crucial elements within the software supply chain, making them a prime target for threat actors. While many organizations open their container and artifact registries to the outside world deliberately and by design, they are sometimes unaware of, or unable to control sensitive information and secrets that leak into these registries. When attackers are able to gain access, they can potentially exploit the entire software development life cycle (SDLC) toolchain and its stored artifacts. Aqua’s research found that in some cases organizations have failed to properly secure these highly critical environments and in other cases sensitive information leaked into open source spaces, leaving these environments exposed to the internet and vulnerable to exploitation, which can lead to serious and damaging attacks.
“We began our research with the goal to better understand misconfigurations in registries, the companies behind these misconfigurations and how a skilled attacker would take advantage of exposed and misconfigured registries,” said Assaf Morag, lead threat researcher for Aqua Nautilus. “The findings were both surprising and highly concerning. Given the magnitude of the risks we uncovered, we set out to find and alert the impacted companies.”
The findings included:
- Nautilus found sensitive keys including secrets, credentials, or tokens, on 1,400 distinct hosts, and private sensitive addresses of end points, such as Redis, MongoDB, PostgreSQL, or MySQL, on 156 hosts.
- Researchers also found 57 registries with critical misconfiguration, and 15 of these allowed admin access with the default password.
- Nautilus detected more than 2,100 artifact registries with upload permissions, which may allow an attacker to poison the registry with malicious code. In some cases, anonymous user access allowed a potential attacker to gain sensitive information, such as secrets, keys, and passwords, that could be used to launch a severe software supply chain attack or poisoning of the SDLC.
- Companies impacted ranged from small to large organizations — including two large cyber security vendors —all over the world.
IBM, one of the affected Fortune 500 companies, had an internal container registry exposed to the internet and was quick to close internet access to these environments and mitigate all the risks after Nautilus disclosed their findings. Other potentially impacted organizations included Alibaba, Siemens, and Cisco.
Nautilus discovered that many organizations did not have a responsible disclosure program in place. These programs are crucial tools that allow security researchers to report potential vulnerabilities in a structured manner so that the organization can quickly resolve the issue before being compromised by malicious actors. Nautilus found that organizations with existing responsible disclosure programs were able to fix a misconfiguration in less than a week. The process was more difficult and time-consuming for those without such a program in place.
“These findings by Aqua Nautilus highlight the need for increased awareness regarding software supply chain security best practices among developers and application security teams,” notes Katie Norton, Senior Research Analyst, DevOps & DevSecOps at IDC. “The explosion in code and use of open source, coupled with DevOps practices in rapid application development and delivery has left organizations behind and needing to catch up in terms of governance, security controls, and education.”
On the back of these findings, Nautilus researchers recommend security teams take the following actions immediately:
- Check if any registries or artifact management systems are exposed to the internet.
- If the registry is connected to the internet by design, check that the version isn’t critically vulnerable and that you are not using the default password. Then verify that the passwords are strong enough and regularly rotate passwords.
- In addition, verify that the anonymous user is disabled. If the anonymous user is purposely enabled, verify minimal privileges, and regularly scan your public artifacts in your repository to verify they do not contain any secrets or sensitive information.
- Rotate any secrets that may have been exposed.
“Our findings illustrate how easy it is for an attacker to compromise an organization’s SDLC as well as underscore the serious threat of overlooking simple configuration errors,” said Morag. “Moving forward, security teams should ensure they have responsible disclosure programs in place and invest more in detecting and mitigating threats to the software supply chain.”
For more information, Aqua Nautilus published a blog and a checklist detailing the research findings and offering a list of best practices companies should take to protect against misconfigurations and potential security threats.
About Aqua Nautilus
Nautilus focuses on cybersecurity research of the cloud native stack. Its mission is to uncover new vulnerabilities, threats and attacks that target containers, Kubernetes, serverless, and public cloud infrastructure — enabling new methods and tools to address them. With a global network of honeypots, Aqua Nautilus catches more than 80,000 cloud native attacks every month, specifically those unique to containers and microservices that other platforms cannot see.
About Aqua Security
Aqua Security stops cloud native attacks across the application lifecycle and is the only company with a $1M Cloud Native Protection Warranty to guarantee it. As the pioneer in cloud native security, Aqua helps customers reduce risk while building the future of their businesses. The Aqua Platform is the industry’s most integrated Cloud Native Application Protection Platform (CNAPP), protecting the application lifecycle from dev to cloud and back. Founded in 2015, Aqua is headquartered
in Boston, MA and Ramat Gan, IL with Fortune 1000 customers in over 40 countries. For more information, visit https://www.aquasec.com/.