Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Millions of Exposed Artifacts Found in Misconfigured Cloud Software Registries

Aqua Security found over 250 million artifacts and more than 65,000 container images in misconfigured registries.

Cloud security firm Aqua Security has identified thousands of exposed cloud software registries and repositories containing more than 250 million artifacts and over 65,000 container images.

As part of research focused on identifying software supply chain weaknesses that could allow threat actors to exploit registries, Aqua discovered that even large companies inadvertently exposed secrets, used default passwords, and provided users with unnecessary high privileges.

“In some of these cases, anonymous user access allowed a potential attacker to gain sensitive information, such as secrets, keys, and passwords, which could lead to a severe software supply chain attack and poisoning of the software development life cycle (SDLC),” Aqua says.

The analysis focused on package management systems used in cloud software development, including registries (used to store and manage projects), repositories (collections of packages within registries), and artifact management systems (tools used to manage binary files).

As part of its research, Aqua discovered multiple container image registries and Quay registries, along with internet-accessible Sonatype-Nexus registries and JFrog artifactories. Some of the identified registries could be accessed anonymously, with read and/or write privileges.

Aqua identified 1,400 distinct internet-exposed registries containing at least one sensitive key and 156 hosts that contained private sensitive addresses of end points.

Moreover, 57 of the identified registries had critical vulnerabilities, such as a default admin password, and more than 2,100 artifact registries were configured with upload permissions.

The misconfigured registries, Aqua says, belonged to small, medium, and large organizations worldwide, including ten Fortune 500 companies. In fact, highly sensitive information was found only in the registries belonging to five Fortune 500 companies.

Advertisement. Scroll to continue reading.

“Additionally, we found two leading cybersecurity companies had exposed secrets in their registries, and a significant number of smaller companies had similar issues that put them at risk,” Aqua says.

One of the impacted companies, an international tech giant, had two misconfigured container image registries, one of which allowed attackers to download artifacts, including an active API key for downloading internal binaries.

The registry contained 2,600 repositories with over 240 million artifacts and the API key could be used to poison libraries, images, and releases, Aqua notes. The impacted organization promptly addressed the issue after being informed of the exposure.

“We later learned that this was a case of Shadow IT, where a developer with a side project opened an environment against policy and regulations without proper controls,” Aqua says.

Another tech giant, the cybersecurity firm says, had a deliberately open public artifact registry that exposed a token (apparently meant to be public). The company implemented stricter controls after being notified of the exposure.

A container image registry belonging to a healthcare organization contained PGP keys, access to websites and databases, staging environments, keys for the Stripe payment application, and code. The exposure could have allowed an attacker to poison the organization’s codebase and access its environments.

“Lastly, since this was a healthcare organization, it could have been targeted by state-sponsored threat actors or financial threat actors who sell private indefinable information over the dark-web which can lead to identity theft of the customers of the healthcare,” Aqua notes.

The security firm discovered that a tech startup allowed anonymous users to access their artifact registry and the artifact build section, where the user could view admin access credentials and AWS credentials and could access the company’s source code management environment. 

Organizations should implement a responsible disclosure program, to ensure such issues can be easily reported, should secure repositories, implement strong authentication and authorization, implement least privilege access controls, regularly rotate keys and credentials, and regularly audit their registries for sensitive data.

Related: Survey Shows Reasons for Cloud Misconfigurations are Many and Complex

Related: Despite Warnings, Cloud Misconfiguration Problem Remains Disturbing

Related: Misconfigured Public Cloud Databases Attacked Within Hours of Deployment

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.