Misconfigured registries are putting hundreds of top businesses at risk

Data Breach
Image Credit: Shutterstock (Image credit: Shutterstock)

Millions of artifacts and container images have been found exposed on the public internet via thousands of misconfigured Red Hat Quay registries, JFrog Artifactory, or Sonatype Nexus artifact registries. Many of these held confidential and sensitive proprietary code, placing those companies at enormous risk of data leaks and cyberattacks.

A new report from the Aqua Nautilus research team found 250 million artifacts and 65,600 container images were exposed, leaving five Fortune 500 companies, as well as “thousands of others”, at risk.

Among the firms at risk were IBM, Alibaba, Siemens, and Cisco, the researchers said.

Surprising and highly concerning

Being “crucial elements” within the software supply chain, registries and artifact management systems are major targets for cybercriminals. Aqua Security claims many organizations are unaware, or unable to control, sensitive information and secrets that leak into these registries, and should hackers gain access - it could spell huge trouble for the target firms. As per the researchers, there are organizations that did not properly secure these highly critical environments. 

“The findings were both surprising and highly concerning,” commented Assaf Morag, lead threat researcher for Aqua Nautilus. 

The researchers found sensitive keys, such as secrets, credentials, or tokens, on 1,400 distinct hosts, and private sensitive addresses of endpoints, such as Redis, MongoDB, PostgreSQL, or MySQL, on 156 hosts. Furthermore, they found 57 registries with critical misconfiguration and 15 of these allowed admin access with the default password. More than 2,100 artifact registries had upload permissions.

To protect their premises, and the sensitive data residing there, Nautilus recommends businesses check if any registries or artifact management systems are exposed to the internet, and check if the ones connected to the internet by design aren’t critically vulnerable. Businesses should also verify that the anonymous user is disabled. 

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.