Over 900,000 misconfigured Kubernetes clusters have been found exposed to the internet. Researchers at Cyble performed research identifying Kubernetes clusters throughout the IPv4 range using scanning tools and search queries similar to those used by threat actors. It is important to note that not all 900,000 discovered clusters are necessarily exploitable. In order to determine how many Kubernetes clusters are at a higher risk, Cyble observed the HTTP error codes returned to the unauthenticated requests to the Kubelet API. The vast majority of the exposed instances return error code 403, indicating that they reject unauthenticated API queries.
There is a subset of approximately 5000 clusters that return HTTP error code 401, indicating that the request is unauthorized. There is also a small subset of 799 Kubernetes instances that return a status code 200, which is the HTTP code for “OK” or “SUCCESS.” In these cases, the unauthenticated API queries were accepted and processed.
Last month, The Shadowserver Foundation released a report on exposed Kubernetes instances where they discovered 381,645 unique IPs responding with a 200 HTTP error code. According to Cyble, the reason for this large discrepancy is that they used open-source scanners and simple queries that would be available to any threat actor, whereas Shadowserver scanned the entire IPv4 space and monitored for new additions daily.
Whereas Cyble’s figures may not be as impressive, they are very important from the perspective that those numbers correspond to Kubernetes clusters that are very easy to locate and attack.