Connect with us

Hi, what are you looking for?


Cloud Security

Millions of Exposed Artifacts Found in Misconfigured Cloud Software Registries

Aqua Security found over 250 million artifacts and more than 65,000 container images in misconfigured registries.

Cloud security firm Aqua Security has identified thousands of exposed cloud software registries and repositories containing more than 250 million artifacts and over 65,000 container images.

As part of research focused on identifying software supply chain weaknesses that could allow threat actors to exploit registries, Aqua discovered that even large companies inadvertently exposed secrets, used default passwords, and provided users with unnecessary high privileges.

“In some of these cases, anonymous user access allowed a potential attacker to gain sensitive information, such as secrets, keys, and passwords, which could lead to a severe software supply chain attack and poisoning of the software development life cycle (SDLC),” Aqua says.

The analysis focused on package management systems used in cloud software development, including registries (used to store and manage projects), repositories (collections of packages within registries), and artifact management systems (tools used to manage binary files).

As part of its research, Aqua discovered multiple container image registries and Quay registries, along with internet-accessible Sonatype-Nexus registries and JFrog artifactories. Some of the identified registries could be accessed anonymously, with read and/or write privileges.

Aqua identified 1,400 distinct internet-exposed registries containing at least one sensitive key and 156 hosts that contained private sensitive addresses of end points.

Moreover, 57 of the identified registries had critical vulnerabilities, such as a default admin password, and more than 2,100 artifact registries were configured with upload permissions.

Advertisement. Scroll to continue reading.

The misconfigured registries, Aqua says, belonged to small, medium, and large organizations worldwide, including ten Fortune 500 companies. In fact, highly sensitive information was found only in the registries belonging to five Fortune 500 companies.

“Additionally, we found two leading cybersecurity companies had exposed secrets in their registries, and a significant number of smaller companies had similar issues that put them at risk,” Aqua says.

One of the impacted companies, an international tech giant, had two misconfigured container image registries, one of which allowed attackers to download artifacts, including an active API key for downloading internal binaries.

The registry contained 2,600 repositories with over 240 million artifacts and the API key could be used to poison libraries, images, and releases, Aqua notes. The impacted organization promptly addressed the issue after being informed of the exposure.

“We later learned that this was a case of Shadow IT, where a developer with a side project opened an environment against policy and regulations without proper controls,” Aqua says.

Another tech giant, the cybersecurity firm says, had a deliberately open public artifact registry that exposed a token (apparently meant to be public). The company implemented stricter controls after being notified of the exposure.

A container image registry belonging to a healthcare organization contained PGP keys, access to websites and databases, staging environments, keys for the Stripe payment application, and code. The exposure could have allowed an attacker to poison the organization’s codebase and access its environments.

“Lastly, since this was a healthcare organization, it could have been targeted by state-sponsored threat actors or financial threat actors who sell private indefinable information over the dark-web which can lead to identity theft of the customers of the healthcare,” Aqua notes.

The security firm discovered that a tech startup allowed anonymous users to access their artifact registry and the artifact build section, where the user could view admin access credentials and AWS credentials and could access the company’s source code management environment. 

Organizations should implement a responsible disclosure program, to ensure such issues can be easily reported, should secure repositories, implement strong authentication and authorization, implement least privilege access controls, regularly rotate keys and credentials, and regularly audit their registries for sensitive data.

Related: Survey Shows Reasons for Cloud Misconfigurations are Many and Complex

Related: Despite Warnings, Cloud Misconfiguration Problem Remains Disturbing

Related: Misconfigured Public Cloud Databases Attacked Within Hours of Deployment

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility