New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


900,000+ Kubernetes Instances Found Exposed to the Internet

Over 900,000 misconfigured Kubernetes clusters have been found exposed to the internet. Researchers at Cyble performed research identifying Kubernetes clusters throughout the IPv4 range using scanning tools and search queries similar to those used by threat actors. It is important to note that not all 900,000 discovered clusters are necessarily exploitable. In order to determine how many Kubernetes clusters are at a higher risk, Cyble observed the HTTP error codes returned to the unauthenticated requests to the Kubelet API. The vast majority of the exposed instances return error code 403, indicating that they reject unauthenticated API queries.

There is a subset of approximately 5000 clusters that return HTTP error code 401, indicating that the request is unauthorized. There is also a small subset of 799 Kubernetes instances that return a status code 200, which is the HTTP code for “OK” or “SUCCESS.” In these cases, the unauthenticated API queries were accepted and processed.

Last month, The Shadowserver Foundation released a report on exposed Kubernetes instances where they discovered 381,645 unique IPs responding with a 200 HTTP error code. According to Cyble, the reason for this large discrepancy is that they used open-source scanners and simple queries that would be available to any threat actor, whereas Shadowserver scanned the entire IPv4 space and monitored for new additions daily.

Whereas Cyble’s figures may not be as impressive, they are very important from the perspective that those numbers correspond to Kubernetes clusters that are very easy to locate and attack.

Analyst Notes

Understanding the attack surface is key for all organizations. Organizations should perform regular vulnerability scans against their network from an outside perspective in addition to completing port scanning against any non-RFC1918 IP addresses that they employ in order to determine what is accessible from the public internet. Any instance of a public IP address that allows connections from outside of the organization should be evaluated for necessity, patch application, sanitized inputs, etc. A VPN can often be a great solution for allowing employees securely access to an organization’s online resources from anywhere in the world.

The NSA and CISA have released a guide on hardening Kubernetes as well, which can be found here: