Cloud security firm Aqua Security has identified thousands of exposed cloud software registries and repositories containing more than 250 million artifacts and over 65,000 container images.
As part of research focused on identifying software supply chain weaknesses that could allow threat actors to exploit registries, Aqua discovered that even large companies inadvertently exposed secrets, used default passwords, and provided users with unnecessary high privileges.
“In some of these cases, anonymous user access allowed a potential attacker to gain sensitive information, such as secrets, keys, and passwords, which could lead to a severe software supply chain attack and poisoning of the software development life cycle (SDLC),” Aqua says.
The analysis focused on package management systems used in cloud software development, including registries (used to store and manage projects), repositories (collections of packages within registries), and artifact management systems (tools used to manage binary files).
As part of its research, Aqua discovered multiple container image registries and Quay registries, along with internet-accessible Sonatype-Nexus registries and JFrog artifactories. Some of the identified registries could be accessed anonymously, with read and/or write privileges.
Aqua identified 1,400 distinct internet-exposed registries containing at least one sensitive key and 156 hosts that contained private sensitive addresses of end points.
Moreover, 57 of the identified registries had critical vulnerabilities, such as a default admin password, and more than 2,100 artifact registries were configured with upload permissions.
The misconfigured registries, Aqua says, belonged to small, medium, and large organizations worldwide, including ten Fortune 500 companies. In fact, highly sensitive information was found only in the registries belonging to five Fortune 500 companies.
“Additionally, we found two leading cybersecurity companies had exposed secrets in their registries, and a significant number of smaller companies had similar issues that put them at risk,” Aqua says.
One of the impacted companies, an international tech giant, had two misconfigured container image registries, one of which allowed attackers to download artifacts, including an active API key for downloading internal binaries.
The registry contained 2,600 repositories with over 240 million artifacts and the API key could be used to poison libraries, images, and releases, Aqua notes. The impacted organization promptly addressed the issue after being informed of the exposure.
“We later learned that this was a case of Shadow IT, where a developer with a side project opened an environment against policy and regulations without proper controls,” Aqua says.
Another tech giant, the cybersecurity firm says, had a deliberately open public artifact registry that exposed a token (apparently meant to be public). The company implemented stricter controls after being notified of the exposure.
A container image registry belonging to a healthcare organization contained PGP keys, access to websites and databases, staging environments, keys for the Stripe payment application, and code. The exposure could have allowed an attacker to poison the organization’s codebase and access its environments.
“Lastly, since this was a healthcare organization, it could have been targeted by state-sponsored threat actors or financial threat actors who sell private indefinable information over the dark-web which can lead to identity theft of the customers of the healthcare,” Aqua notes.
The security firm discovered that a tech startup allowed anonymous users to access their artifact registry and the artifact build section, where the user could view admin access credentials and AWS credentials and could access the company’s source code management environment.
Organizations should implement a responsible disclosure program, to ensure such issues can be easily reported, should secure repositories, implement strong authentication and authorization, implement least privilege access controls, regularly rotate keys and credentials, and regularly audit their registries for sensitive data.
Related: Survey Shows Reasons for Cloud Misconfigurations are Many and Complex
Related: Despite Warnings, Cloud Misconfiguration Problem Remains Disturbing
Related: Misconfigured Public Cloud Databases Attacked Within Hours of Deployment