Security researchers have warned that a large number of Kubernetes clusters are being made vulnerable to attacks due to misconfigured Argo Workflows instances.
Argo Workflows is an open source container-native workflow engine that is mainly used to coordinate parallel work on Kubernetes, speeding up the processing of computationally intensive work such as machine learning and big data processing, and it is also used to simplify general container deployment. At the same time, Kubernetes is also a popular container orchestration engine that can be used to manage cloud deployments.
According to Intezer’s analysis, malware operators can drop encrypted software into cloud containers via Argo, since some instances can be accessed through a dashboard that does not require authentication of external users. Therefore, these misconfigured permissions can allow an attacker to run aggressive code in the victim’s environment.
In many cases, permissions configured by default make it possible for any user to deploy workflows, according to Intezer’s analysis published on Tuesday. In the case of misconfigured permissions, it is possible for attackers to gain access to an open Argo dashboard and conduct their cyber attacks.
Misconfigurations could also expose sensitive information such as code, credentials and the names of private container images (which can be used to assist other types of attacks), the researchers said.
Scanning the network, Intezer uncovered numerous unprotected instances run by several companies including the technology, finance and logistics industries.
Intezer said: “We have identified the infected node so far, and since hundreds of misdeployed containers are involved, it is possible that a larger attack will occur in the future. In one of the cases, the malicious code was exposed in a Docker Hub. It was discovered after nine months of running on the cluster.”
It is not difficult to carry out an attack. Researchers have observed a number of popular malware, including Kannix and XMRig, being dropped into containers in repositories like Docker Hub, and cybercriminals simply need to pull one of these containers into Kubernetes via Argo or other means. attack. For example, Microsoft recently investigated numerous cases of miners attacking Kubernetes through the Kubeflow framework that runs machine learning workflows.
“In Docker Hub, there are still many Monero options available to attackers. We found at least 45 containers with millions of downloads through a simple search,” the researchers said.
How to check for misconfiguration of Argo
The easiest way to see if permissions are configured correctly is to try accessing the Argo workflow dashboard from outside the corporate environment using an unauthenticated incognito browser, the researchers noted.
A more technical way to check is to access an instance’s API and examine the status code, the researchers added.
According to the analysis, as an unauthenticated user,[your.instance:port]/api/v1/info sends an HTTP GET request, the returned HTTP status code is ‘401 Unauthorized’, indicating that the instance is configured correctly, and if it returns a successful status code of ‘200 Success’, it indicates an unauthorized users can access the instance.
Administrators can also check logs and workflow timelines for any suspicious activity, Intezer noted, and any workflow that runs for too long could indicate attack activity.
“Even if your cluster is deployed on a cloud Kubernetes service, such as Amazon Web Services (AWS), EKS, or Azure Kubernetes Service (AKS), the shared responsibility Model dictates that cloud customers should be responsible for the applications they deploy,” the researchers noted. all necessary security configurations”.
Incorrect cloud configuration provides a vector for cyberattacks
Misconfigurations still plague the cloud computing world and organizations of all kinds. An analysis last fall found that 6 percent of Google’s cloud images were misconfigured and open to the public internet, where anyone could access the content.
Sometimes these missteps make headlines. In March, the Hobby Lobby company was revealed to have kept 138GB of sensitive information in a cloud bucket that was open to the public. This information includes customer names, some payment card details, phone numbers, physical and email addresses.
According to a 2020 survey by the Cloud Native Computing Foundation (CNCF), 91% of respondents are using Kubernetes, and respondents said the biggest difficulty in using and deploying containers is deployment complexity and security.
Intezer researchers noted: “Kubernetes…is one of the most popular repositories on GitHub, with over 100,000 commits and over 3,000 contributors, and the number of enterprises using Kubernetes and the number of clusters they deploy is steadily growing each year. Because of these security challenges enterprises face when using containers and Kubernetes clusters, attackers are likely to exploit vulnerabilities in container security to conduct widespread attacks.”