Kubernetes breaches could put major businesses data at risk

Data Breach
Image Credit: Shutterstock (Image credit: Shutterstock)

Some pretty major companies are slacking when it comes to Kubernetes configuration secrets, which could spell security disaster, a new report from cybersecurity researchers Aqua has claimed.

In a new paper, researchers Yakir Kadkoda and Assaf Morag explained that firms are uploading Kubernetes configuration secrets to public repositories, risking hackers picking them up and using them in attacks against their endpoints

They came to this conclusion after using a GitHub API to find all entries containing .dockerconfigjson and .dockercfg which usually store credentials for container image registry access. The results returned 438 records, out of which half (203) held valid credentials that could be used to access the registries. The list contained 345 computer-generated passwords and 93 manual ones. 


Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

Weak credentials

"In the majority of cases, these credentials allowed for both pulling and pushing privileges," the researchers said. "Moreover, we often discovered private container images within most of these registries."

Another problem is the strength of the manually created passwords. Almost half were considered weak, including the likes of test123456, ChangeMe, and dockerhub, which hackers can easily guess. "This underscores the critical need for organizational password policies that enforce strict password creation rules to prevent the use of such vulnerable passwords," the researchers stressed.

Among the companies that risked data breaches this way are two major blockchain firms and “various Fortune 500” organizations. 

The researchers also found plenty of Amazon Web Services (AWS) and Google Container Registry (GCR) passwords, all of which were temporary and expired. Also, the GitHub Container Registry had multi-factor authentication (MFA) set up, rendering it useless for the attackers. 

"In some cases, the keys were encrypted and thus there was nothing to do with the key," the researchers said. "In some cases, while the key was valid it had minimal privileges, often just to pull or download a specific artifact or image."

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.