Cloud security firm Aqua Security has identified thousands of exposed cloud software registries and repositories containing more than 250 million artifacts and over 65,000 container images.
As part of research focused on identifying software supply chain weaknesses that could allow threat actors to exploit registries, Aqua discovered that even large companies inadvertently exposed secrets, used default passwords, and provided users with unnecessary high privileges.
“In some of these cases, anonymous user access allowed a potential attacker to gain sensitive information, such as secrets, keys, and passwords, which could lead to a severe software supply chain attack and poisoning of the software development life cycle (SDLC),” Aqua says.
The analysis focused on package management systems used in cloud software development, including registries (used to store and manage projects), repositories (collections of packages within registries), and artifact management systems (tools used to manage binary files).
As part of its research, Aqua discovered multiple container image registries and Quay registries, along with internet-accessible Sonatype-Nexus registries and JFrog artifactories. Some of the identified registries could be accessed anonymously, with read and/or write privileges.
Aqua identified 1,400 distinct internet-exposed registries containing at least one sensitive key and 156 hosts that contained private sensitive addresses of end points.
Moreover, 57 of the identified registries had critical vulnerabilities, such as a default admin password, and more than 2,100 artifact registries were configured with upload permissions.
The misconfigured registries, Aqua says, belonged to small, medium, and large organizations worldwide, including ten Fortune 500 companies. In fact, highly sensitive information was found only in the registries belonging to five Fortune 500 companies.
“Additionally, we found two leading cybersecurity companies had exposed secrets in their registries, and a significant number of smaller companies had similar issues that put them at risk,” Aqua says.
One of the impacted companies, an international tech giant, had two misconfigured container image registries, one of which allowed attackers to download artifacts, including an active API key for downloading internal binaries.
The registry contained 2,600 repositories with over 240 million artifacts and the API key could be used to poison libraries, images, and releases, Aqua notes. The impacted organization promptly addressed the issue after being informed of the exposure.
“We later learned that this was a case of Shadow IT, where a developer with a side project opened an environment against policy and regulations without proper controls,” Aqua says.
Another tech giant, the cybersecurity firm says, had a deliberately open public artifact registry that exposed a token (apparently meant to be public). The company implemented stricter controls after being notified of the exposure.
A container image registry belonging to a healthcare organization contained PGP keys, access to websites and databases, staging environments, keys for the Stripe payment application, and code. The exposure could have allowed an attacker to poison the organization’s codebase and access its environments.
“Lastly, since this was a healthcare organization, it could have been targeted by state-sponsored threat actors or financial threat actors who sell private indefinable information over the dark-web which can lead to identity theft of the customers of the healthcare,” Aqua notes.
The security firm discovered that a tech startup allowed anonymous users to access their artifact registry and the artifact build section, where the user could view admin access credentials and AWS credentials and could access the company’s source code management environment.
Organizations should implement a responsible disclosure program, to ensure such issues can be easily reported, should secure repositories, implement strong authentication and authorization, implement least privilege access controls, regularly rotate keys and credentials, and regularly audit their registries for sensitive data.
Related: Survey Shows Reasons for Cloud Misconfigurations are Many and Complex
Related: Despite Warnings, Cloud Misconfiguration Problem Remains Disturbing
Related: Misconfigured Public Cloud Databases Attacked Within Hours of Deployment
More from Ionut Arghire
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- US, Israel Provide Guidance on Securing Remote Access Software
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
