Kubernetes is an open-source container orchestration system that works with Docker, Containerd, and CRI-O. Kubernetes provides automating software deployment, scaling, and management. The project was originally designed by Google, but now Cloud Native Computing Foundation is maintaining the project. There are millions of Kubernetes clusters on the internet. Cyble Research Labs observed over 900,000 misconfigured Kubernetes clusters were discovered online, some of which were open to potentially harmful scanning and data-exposure hacks.
Exposed Kubernetes instances can cause breaches
Kubernetes provides scalability, adaptability, portability, cost, app development, and system deployment time reductions in multi-cloud environments. If Kubernetes isn’t set up properly, cybercriminals can breach internal resources as well as private assets. Depending on the configuration, attackers could sometimes expand their authorizations from containers to break isolation and rotate to host processes, granting them initial access to internal corporate networks for further assaults.
Cyber intelligence company, Cyble has conducted research to understand the vulnerabilities and attack vectors of the exposure. The research results show a total of 900,000 Kubernetes servers, with 65% of them (585,000) located in the United States, 14% in China, 9% in Germany, while Netherlands and Ireland accounted for 6% each. The most exposed TCP ports among the exposed servers were “443” with almost a million instances, “10250” with 231,200, and “6443” with 84,400 results.
To assess how many of the exposed instances might be at notable risk, the researchers examined the error codes that returned to the unauthenticated requests to the Kubelet API. Most of the exposed instances come back with error code 403, meaning the unauthenticated request is forbidden and can’t go through so that no attacks can arise against them. Only a small portion of 799 Kubernetes instances was found, with status code 200 entirely open for cyber attacks.
Kubernetes, also referred to as K8s is an open-source system for automating the deployment, scaling, and management of containerized applications. K8s combines real and virtual machines to create a uniform API interface.
As shown in the figure above, a few of the exposures return status code 401. This information points out that a Kubernetes cluster is running in the target environment. This may lead to the cyber attackers attempting various K8s exploits and vulnerabilities to breach the environment. Cyble made the following statements:
« The stats provided in the Kubernetes blog that is published from our end is on the basis of Open-source scanners and the Queries available for the product. As mentioned in the blog we have searched on the basis of queries “Kubernetes”, “Kubernetes-master”, “KubernetesDashboard”,” K8”, and favicon hashes along with status codes 200,403 & 401. »