22,000 vulnerable containers found open on the cloud
Over 22,000 container orchestration and API management systems are unprotected on the internet revealing the reality of the risks of operating in the cloud. According to researcher, the containers Kubernetes, Mesos, Docker Swarms and others suffer from poorly configured resources, lack of credentials and the use of non secure protocols. As a result, hackers can remotely access the infrastructure to install, remove or encrypt any application that companies are running in the cloud. Researchers found 22,672 open admin dashboards on the web and more than 300 of them were unprotected by any credentials. 95 percent of these are hosted inside of Amazon Web Services. Amazon has alerted the affected companies.
Each of the openings allows an entry point into potentially sensitive data or an opportunity to hijack a company's cloud resources. Depending on the motives of the hackers, they can perform a variety of attacks. When a user interface is open, anyone can get inside. Once inside, hackers can quietly use resources to mine for cryptocurrency, deposit malware or ransomware, wipe out data, grab sensitive PII, or do any of a number of things that could frustrate normal cloud operations and expose critical, private data. If containers management consoles and APIs are open and accessible, it only takes rudimentary level of skill to do damage.
A more sophisticated hacker can perform data mining on the open infrastructure in order to learn more about potential attack targets, and then deploy their attacks. More experienced hackers will be able to navigate to critical data in the container and beyond and into the overall cloud infrastructure. The experienced hackers know that a combination of getting anecdotal information about the way an environment is structured along with access is a potent combination, so they will try to get information from employees through phishing emails, bogus phone calls, and other means that prey on unsuspecting informants. Even if the containers have authentication turned on, an attacker can test simple brute force password and dictionary attacks to gain access.
The affected companies run the gamut in terms of size and industry. Although researchers did not access any of the consoles to drive into what the targets were or dig into a level that would allow them to see if they were compromised as this was largely automated, researchers could see in the data and there are all kinds of organizations included. The organizions affected are not just small startups or research divisions.
Containers are increasingly popular among DevOps users in companies of all sizes because they help collaboration, which optimizes their ability to deliver code fast to virtual environments. However, researchers noted that securing workloads in public clouds requires a different approach than that used for traditional data centers, where APIs drive the infrastructure and create short lived workloads. As a result, they're becoming more interesting to cybercriminals. There are dynamics at play if you combine the goals of DevOps with easy to use tools like containers. Users are not abiding by security controls, and without continuous and automated monitoring of the environment, misconfigurations and open containers linger as undetected issues. The DevOps team is not typically organized to look for these security issues so they keep pushing code and using containers because it makes it easier for them.
The cloud operates with different types of parameters, and movement of data is not linear, which poses new security challenges. Misconfiguration of cloud storage buckets like Amazon S3s has plagued the space for years, containers are just another wrinkle. So much data goes into and out of S3 buckets and containers, but because it's often happening in an ad-hoc way through connections made by APIs, no one really knows the specifics of what data is available and what it's status is. The same things happen at the user level, the cloud encourages broad permissions so people can make changes and use their technology investment at business speed. But overly permissive models lead to these assets being almost globally available.