blog.aquasec.com
Open in
urlscan Pro
2606:2c40::c73c:67e4
Public Scan
URL:
https://blog.aquasec.com/250m-artifacts-exposed-via-misconfigured-registries
Submission: On July 14 via manual from CA — Scanned from CA
Submission: On July 14 via manual from CA — Scanned from CA
Form analysis 3 forms found in the DOM
GET https://blog.aquasec.com/hs-search-results
<form action="https://blog.aquasec.com/hs-search-results" method="GET">
<input type="text" class="navbar_search_input" name="term" autocomplete="off" placeholder="Enter a keyword to search the blog">
<input type="hidden" name="type" value="BLOG_POST">
<input type="hidden" name="length" value="SHORT">
<input type="submit" class="navbar_submit_button" value="Search">
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1665891/bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c
<form id="hsForm_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1665891/bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c"
class="hs-form-private hsForm_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c hs-form-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c hs-form-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_c8a14213-6a8f-46a9-bf1a-37286b213b25 hs-form stacked"
target="target_iframe_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587" data-instance-id="c8a14213-6a8f-46a9-bf1a-37286b213b25" data-form-id="bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c" data-portal-id="1665891">
<div class="hs_firstname hs-firstname hs-fieldtype-text field hs-form-field"><label id="label-firstname-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587" class="" placeholder="Enter your First Name"
for="firstname-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587"><span>First Name</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="firstname-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587" name="firstname" placeholder="" type="text" class="hs-input" inputmode="text" autocomplete="given-name" value=""></div>
</div>
<div class="hs_lastname hs-lastname hs-fieldtype-text field hs-form-field"><label id="label-lastname-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587" class="" placeholder="Enter your Last Name"
for="lastname-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587"><span>Last Name</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="lastname-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587" name="lastname" placeholder="" type="text" class="hs-input" inputmode="text" autocomplete="family-name" value=""></div>
</div>
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587" class="" placeholder="Enter your Email"
for="email-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587"><span>Email</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587" name="email" required="" placeholder="" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_comment hs-comment hs-fieldtype-textarea field hs-form-field"><label id="label-comment-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587" class="" placeholder="Enter your Comment"
for="comment-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587"><span>Comment</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><textarea id="comment-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587" class="hs-input hs-fieldtype-textarea" name="comment" required="" placeholder=""></textarea></div>
</div>
<div class="hs_utm_source hs-utm_source hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_source-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587" class="" placeholder="Enter your UTM_Source"
for="utm_source-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587"><span>UTM_Source</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_source" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_campaign hs-utm_campaign hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_campaign-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587" class="" placeholder="Enter your UTM_Campaign"
for="utm_campaign-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587"><span>UTM_Campaign</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_campaign" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_medium hs-utm_medium hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_medium-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587" class="" placeholder="Enter your UTM_Medium"
for="utm_medium-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587"><span>UTM_Medium</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_medium" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_content hs-utm_content hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_content-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587" class="" placeholder="Enter your UTM_Content"
for="utm_content-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587"><span>UTM_Content</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_content" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_term hs-utm_term hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_term-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587" class="" placeholder="Enter your UTM_Term"
for="utm_term-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587"><span>UTM_Term</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_term" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_gclid hs-gclid hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-gclid-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587" class="" placeholder="Enter your GCLID"
for="gclid-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587"><span>GCLID</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="gclid" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary" value="Submit Comment"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1689351819934","formDefinitionUpdatedAt":"1681717672680","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.198 Safari/537.36","pageTitle":"Fortune 500 at Risk: 250M Artifacts Exposed via Misconfigured Registries","pageUrl":"https://blog.aquasec.com/250m-artifacts-exposed-via-misconfigured-registries","pageId":"111741012843","isHubSpotCmsGeneratedPage":true,"canonicalUrl":"https://blog.aquasec.com/250m-artifacts-exposed-via-misconfigured-registries","contentType":"blog-post","hutk":"55cfea3e27166b2412f57461fe42087f","__hsfp":2241961375,"__hssc":"207889101.1.1689351820985","__hstc":"207889101.55cfea3e27166b2412f57461fe42087f.1689351820985.1689351820985.1689351820985.1","formTarget":"#hs_form_target_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c","formInstanceId":"9587","pageName":"Fortune 500 at Risk: 250M Artifacts Exposed via Misconfigured Registries","locale":"en","timestamp":1689351821006,"originalEmbedContext":{"portalId":"1665891","formId":"bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c","region":"na1","target":"#hs_form_target_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c","isBuilder":false,"isTestPage":false,"isPreview":false,"formInstanceId":"9587","formsBaseUrl":"/_hcms/forms","css":"","submitButtonClass":"hs-button primary","isMobileResponsive":true,"pageName":"Fortune 500 at Risk: 250M Artifacts Exposed via Misconfigured Registries","pageId":"111741012843","contentType":"blog-post","isCMSModuleEmbed":true,"type":"BLOG_COMMENT"},"correlationId":"c8a14213-6a8f-46a9-bf1a-37286b213b25","renderedFieldsIds":["firstname","lastname","email","comment","utm_source","utm_campaign","utm_medium","utm_content","utm_term","gclid"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.3372","sourceName":"forms-embed","sourceVersion":"1.3372","sourceVersionMajor":"1","sourceVersionMinor":"3372","_debug_allPageIds":{"embedContextPageId":"111741012843","analyticsPageId":"111741012843","pageContextPageId":"111741012843"},"_debug_embedLogLines":[{"clientTimestamp":1689351820090,"level":"INFO","message":"Retrieved customer callbacks used on embed context: [\"getExtraMetaDataBeforeSubmit\"]"},{"clientTimestamp":1689351820090,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Fortune 500 at Risk: 250M Artifacts Exposed via Misconfigured Registries\",\"pageUrl\":\"https://blog.aquasec.com/250m-artifacts-exposed-via-misconfigured-registries\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.198 Safari/537.36\",\"pageId\":\"111741012843\",\"isHubSpotCmsGeneratedPage\":true}"},{"clientTimestamp":1689351820093,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"CA\""},{"clientTimestamp":1689351821002,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"55cfea3e27166b2412f57461fe42087f\",\"canonicalUrl\":\"https://blog.aquasec.com/250m-artifacts-exposed-via-misconfigured-registries\",\"contentType\":\"blog-post\",\"pageId\":\"111741012843\"}"}]}"><iframe
name="target_iframe_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_9587" style="display: none;"></iframe>
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1665891/fc3a461b-474b-4bd2-b409-c41d4ec09d8a
<form id="hsForm_fc3a461b-474b-4bd2-b409-c41d4ec09d8a_8491" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1665891/fc3a461b-474b-4bd2-b409-c41d4ec09d8a"
class="hs-form-private hsForm_fc3a461b-474b-4bd2-b409-c41d4ec09d8a hs-form-fc3a461b-474b-4bd2-b409-c41d4ec09d8a hs-form-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_f273e942-2835-4a32-ba3e-75d807aa0cfb hs-form stacked"
target="target_iframe_fc3a461b-474b-4bd2-b409-c41d4ec09d8a_8491" data-instance-id="f273e942-2835-4a32-ba3e-75d807aa0cfb" data-form-id="fc3a461b-474b-4bd2-b409-c41d4ec09d8a" data-portal-id="1665891">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_8491" class="" placeholder="Enter your Email Address" for="email-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_8491"><span>Email
Address</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_8491" name="email" required="" placeholder="" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_blog_default_hubspot_blog_subscription hs-blog_default_hubspot_blog_subscription hs-fieldtype-radio field hs-form-field" style="display: none;"><label
id="label-blog_default_hubspot_blog_subscription-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_8491" class="" placeholder="Enter your Notification Frequency"
for="blog_default_hubspot_blog_subscription-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_8491"><span>Notification Frequency</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="blog_default_hubspot_blog_subscription" class="hs-input" type="hidden" value="instant"></div>
</div>
<div class="hs_utm_source hs-utm_source hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_source-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_8491" class="" placeholder="Enter your UTM_Source"
for="utm_source-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_8491"><span>UTM_Source</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_source" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_campaign hs-utm_campaign hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_campaign-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_8491" class="" placeholder="Enter your UTM_Campaign"
for="utm_campaign-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_8491"><span>UTM_Campaign</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_campaign" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_medium hs-utm_medium hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_medium-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_8491" class="" placeholder="Enter your UTM_Medium"
for="utm_medium-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_8491"><span>UTM_Medium</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_medium" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_content hs-utm_content hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_content-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_8491" class="" placeholder="Enter your UTM_Content"
for="utm_content-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_8491"><span>UTM_Content</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_content" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_term hs-utm_term hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_term-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_8491" class="" placeholder="Enter your UTM_Term"
for="utm_term-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_8491"><span>UTM_Term</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_term" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Subscribe"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1689351819941","formDefinitionUpdatedAt":"1669751364161","renderRawHtml":"true","isLegacyThemeAllowed":"true","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.198 Safari/537.36","pageTitle":"Fortune 500 at Risk: 250M Artifacts Exposed via Misconfigured Registries","pageUrl":"https://blog.aquasec.com/250m-artifacts-exposed-via-misconfigured-registries","pageId":"111741012843","isHubSpotCmsGeneratedPage":true,"canonicalUrl":"https://blog.aquasec.com/250m-artifacts-exposed-via-misconfigured-registries","contentType":"blog-post","hutk":"55cfea3e27166b2412f57461fe42087f","__hsfp":2241961375,"__hssc":"207889101.1.1689351820985","__hstc":"207889101.55cfea3e27166b2412f57461fe42087f.1689351820985.1689351820985.1689351820985.1","formTarget":"#hs_form_target_module_14538258496742317_8491","formInstanceId":"8491","pageName":"Fortune 500 at Risk: 250M Artifacts Exposed via Misconfigured Registries","locale":"en","timestamp":1689351821001,"originalEmbedContext":{"portalId":"1665891","formId":"fc3a461b-474b-4bd2-b409-c41d4ec09d8a","region":"na1","target":"#hs_form_target_module_14538258496742317_8491","isBuilder":false,"isTestPage":false,"isPreview":false,"formInstanceId":"8491","formsBaseUrl":"/_hcms/forms","css":"","inlineMessage":"Thanks for Subscribing!","isMobileResponsive":true,"pageName":"Fortune 500 at Risk: 250M Artifacts Exposed via Misconfigured Registries","pageId":"111741012843","contentType":"blog-post","formData":{"cssClass":"hs-form stacked"},"isCMSModuleEmbed":true},"correlationId":"f273e942-2835-4a32-ba3e-75d807aa0cfb","renderedFieldsIds":["email","blog_default_hubspot_blog_subscription","utm_source","utm_campaign","utm_medium","utm_content","utm_term"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.3372","sourceName":"forms-embed","sourceVersion":"1.3372","sourceVersionMajor":"1","sourceVersionMinor":"3372","_debug_allPageIds":{"embedContextPageId":"111741012843","analyticsPageId":"111741012843","pageContextPageId":"111741012843"},"_debug_embedLogLines":[{"clientTimestamp":1689351820038,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Fortune 500 at Risk: 250M Artifacts Exposed via Misconfigured Registries\",\"pageUrl\":\"https://blog.aquasec.com/250m-artifacts-exposed-via-misconfigured-registries\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.198 Safari/537.36\",\"pageId\":\"111741012843\",\"isHubSpotCmsGeneratedPage\":true}"},{"clientTimestamp":1689351820043,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"CA\""},{"clientTimestamp":1689351820997,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"55cfea3e27166b2412f57461fe42087f\",\"canonicalUrl\":\"https://blog.aquasec.com/250m-artifacts-exposed-via-misconfigured-registries\",\"contentType\":\"blog-post\",\"pageId\":\"111741012843\"}"}]}"><iframe
name="target_iframe_fc3a461b-474b-4bd2-b409-c41d4ec09d8a_8491" style="display: none;"></iframe>
</form>Text Content
Aqua uses website cookies to give visitors a better service. To find out more
about the cookies we use, see our Privacy Policy
Accept Decline
Aqua Security
* Products
* Solutions
* Resources
* Company
Search Sign In Try Aqua
Aqua Blog
Mor Weinberger Assaf Morag
April 24, 2023
FORTUNE 500 AT RISK: 250M ARTIFACTS EXPOSED VIA MISCONFIGURED REGISTRIES
What if you were told that you had a misconfigured registry with hundreds of
millions of software artifacts containing highly confidential and sensitive
proprietary code and secrets exposed in your environment right now? This would
be what you’d call a really bad day for security. Recently, the Aqua Nautilus
research team found just that in some of the world’s largest organizations,
including five Fortune 500 companies.
In some of these cases, anonymous user access allowed a potential attacker to
gain sensitive information, such as secrets, keys, and passwords, which could
lead to a severe software supply chain attack and poisoning of the software
development life cycle (SDLC). In total, we detected thousands of exposed
registries and artifact repositories containing over 250 million artifacts and
over 65 thousand container images.
Our experience working with the security teams of companies such as IBM, Cisco,
Siemens and Alibaba were excellent. We followed established procedures to report
our findings through designated channels, and we found that the security teams
were eager to learn from our discoveries, take immediate corrective action, and
seek out long-term solutions. However, we were surprised that some major
corporations ignored our warnings, which put both their businesses and customers
at significant risk.
SOFTWARE DEVELOPMENT LIFE CYCLE IN THE CLOUD
The SDLC is a set of best practices, processes, and tools that enables
organizations to create and deploy software in the cloud efficiently. It aims to
reduce the risk of errors and bugs by automating the process of building,
testing, and deploying software. The SDLC typically includes writing code and
committing it to a version control system, automating the building and testing
of the code using Continuous Integration (CI) tools, and deploying the code to a
staging environment for testing and validation. Once these steps are
successfully completed, the code is then deployed to production or stored in
container image or artifact registries for future use.
REGISTRIES, REPOSITORIES, AND ARTIFACT MANAGEMENT SYSTEMS
Registry, repositories, and artifact management systems are different types of
development and operation software used in package management:
* Registry is a central location for storing and managing packages
* Repository is a collection of packages within a registry
* Artifact management system is a tool for managing binary files such as JAR
files
The main difference is that a registry is a general term for a place to store
and manage packages, a repository is a specific collection within a registry,
and an artifact management system is a type of registry for managing binary
files.
THE SCOPE OF OUR RESEARCH
The cloud has a vast attack surface, with numerous potential entry points that
attackers can use to gain access to a cloud environment. Our research focused on
software supply chain attacks, specifically how threat actors exploit
registries. We believe that registries are a crucial part of the software supply
chain in the cloud and that organizations don’t pay enough attention to them. If
attackers gain access to registries, they can propagate and potentially exploit
the entire SDLC.
At this point it is imperative to state out that in many cases artifact
management systems and container registries are connected to the internet
deliberately and by design allowing anonymous users to connect to various areas
in the registry or even to the entire registry. This design allows global teams,
customers and other stakeholders access to open-source software that is shared
across the company or with outside users. In some cases, however, restricted
environments are accidentally shared with anonymous users, in other cases teams
accidentally publish sensitive information to public areas.
In this blog post, we are shedding light on the potential dangers of
misconfigurations in registries and how it can be extremely risky in certain
scenarios. We’ll cover misconfigurations such as mistakenly connecting registry
to the internet, exposing secrets to public registries, using default passwords,
granting high privileges to users, and more.
We’ll also examine anonymous access. In some tools, it’s considered a
misconfiguration issue, for example in a private container image registry, while
in others anonymous access is a built-in feature intended to make the cloud SLDC
easier for organizations.
We discovered that some organizations fail to properly secure these highly
critical environments, leaving them exposed to the internet and vulnerable to
exploitation, which can lead to serious and damaging attacks.
SUMMARY OF THE FINDINGS
Our research was conducted from an attacker’s perspective, where we examined how
an attacker could gain initial access and how far they could move laterally
across the cloud development pipeline.
In our research, we discovered multiple container image registries and Quay
registries. In addition, we also found Sonatype-Nexus registries and JFrog
artifactories that were publicly accessible on the internet. An accessible over
the internet registry is one that is connected to the internet and can be
accessed at least as far as the login page. An anonymous user access registry is
one that can be accessed with anonymous read and/or write privileges.
Here are the key findings:
While we are fully aware that in many cases finding an artifact registry
connected to the internet and even one that allows anonymous user access, since
in many times these registries are accessible by design, we weren't expecting to
find inside these registries’ secrets. As you can see in the figure below, on
1,400 distinct hosts we found at least one sensitive key (such as keys, secrets,
credentials, tokens, etc.) and on 156 hosts we found private sensitive addresses
of end points (such as Redis, MongoDB, PostgreSQL, MySQL, etc.).
We found 57 registries with critical vulnerabilities such as default admin
passwords, out of which 15 registries allowed admin access with the default
password. We detected more than 2,100 artifact registries with upload
permissions, which may allow an attacker to poison the registry with malicious
code.
We found small, medium, and large organizations from all over the world,
including 10 companies from the Fortune 500 list. Only the registries of five
Fortune 500 companies contained highly sensitive information and in some cases
wasn’t supposed to be exposed or allow anonymous access. Additionally, we found
two leading cybersecurity companies had exposed secrets in their registries, and
a significant number of smaller companies had similar issues that put them at
risk.
The combined annual revenue of all companies in our research is 1.3 trillion USD
and, on average, each company has a revenue of 10 billion USD, with a median
revenue of 30 million USD.
THE RISKS OF EXPOSED AND EXPLOITABLE REGISTRIES
Here are a few examples of the potential consequences of having an exposed and
exploitable registry connected to the internet:
International tech giant: The risks of Shadow IT
During our research, we discovered two misconfigured container image registries
that belonged to the development and engineering teams working on a Fortune 100
tech giant’s cloud. One of the container image manifests contained a command to
download artifacts from the artifact registry, which included an active API key
to retrieve internal binaries as part of building an image.
We found that the artifact registry contained 2,600 repositories with over 240
million artifacts, since its sensitivity we sampled few artifacts and found it
including repositories with built artifacts affiliated with the production
environment and repositories for managing internal software libraries. Moreover,
The API key had 'can deploy' privileges, which could potentially allow a bad
actor to poison artifacts such as libraries, images, and releases.
We decided to halt our research at this point due to the sensitivity of their
environment and disclose our findings to the company’s CIRT team.
The tech giant’s security team was very professional and eager to learn about
our findings. They promptly investigated the items in our report and took
immediate measures to mitigate the risks. We later learned that this was a case
of Shadow IT, where a developer with a side project opened an environment
against policy and regulations without proper controls.
The company’s security team shared many lessons to learn from this case. Shadow
IT is a serious problem that poses a threat to any organization, big or small.
However, several steps could have prevented access to these environments. First,
the registry should not be exposed to anonymous users. Second, the manifest
should not contain hard-coded secrets. Third, the API key should follow the
principle of least privilege and apply key rotation policy, and fourth, network
controls should protect the API of the artifact registry.
Here is an illustration of how it could have been done:
An attacker could have gained a further foothold in the company's cloud
environments by poisoning the artifact repositories, which allows him to control
the entire software supply chain, from infecting the developers and up to the
cloud platform environment
International tech giant #2: The risks of purposely open artifact registries
During our research, we discovered that another tech giant, “company #2” had a
deliberately open public artifact registry. In today's fast-paced software
development landscape, it is crucial to ensure that businesses can operate as
smoothly as possible. However, these types of environments can be challenging to
secure. With hundreds of teams and thousands of professionals working with
public environments, it is inevitable that mistakes will happen.
In the case of “Company #2”, we found a project that was nearing its end-of-life
that revealed a token. Our disclosure prompted an internal discussion within the
organization. Although the company claimed the token was meant to be public, we
shared concerns about the potential attack vectors. For instance, if internal
names of artifacts such as Python or NPM packages were exposed to the internet,
it could create an attack vector for the popular dependency confusion that could
have a significant impact on the organization.
The security stakeholders made the decision that all individuals, whether
internal or external, must be adequately monitored when it comes to
organizational assets. With so many professionals having access, it is only a
matter of time before someone makes a mistake. As a result, Company #2
implemented stricter controls over the registries, requiring users to register
and issue tokens with expiration dates. This is another example of a security
team eager to learn and educate the community.
Healthcare organization: Complete access for an attacker to prey
During our research, we discovered a container image registry that contained
plenty of keys and secrets to the organization's environments, including PGP
keys, complete access to websites, database access, staging environments, Stripe
(payment application) keys, and their code. This information could have been
used by an attacker to poison their codebase and gain unauthorized access to the
organization's environments. Lastly since this was a healthcare organization it
could have been targeted by state-sponsored threat actors or financial threat
actors who sell private indefinable information over the dark-web which can lead
to identity theft of the customers of the healthcare. Unfortunately, it was very
hard to find a proper professional to disclose this issue. But after 3 weeks of
persevering attempts, we disclosed this matter, and they took immediate action.
Tech startup: Exposing environment variables to anonymous users
We also uncovered a startup that had an anonymous user with access to their
artifact registry. It also allowed access to the artifact build section, where
the anonymous user was able to view the environment variables. From there, the
anonymous user was able to see the admin access credentials to the artifact
registry, AWS credentials to production environments, and access to the
company’s source code management and CI environments.
We alerted the company of this issue, and the CTO acknowledged it as an instance
of Shadow IT with active AWS credentials to highly sensitive environments.
IMMEDIATE STEPS TO TAKE
If you have a registry instance in your environment, we recommend taking the
following actions immediately:
* Check if it is exposed to the internet.
* If the registry is connected to the internet by design, check that the
version isn’t critically vulnerable and that the default password is
disabled. Verify that the passwords are strong enough.
* In addition, verify that the anonymous user is disabled. If the anonymous
user is purposely enabled, verify that public artifacts in your repository do
not contain any secrets.
* Rotate any secrets that may have been exposed.
We prepared a handy cheat sheet to help you tackle this with confidence and
mitigate the risks:
Aqua’s software supply chain security module automatically checks and alerts on
these critical registry misconfigurations. The solution plugs in directly into
the CI/CD stack (including registries) and scans for vulnerabilities in the code
/ image layer, the pipeline process, and tool configuration. If we take this
specific example, as soon as you connect your registry to Aqua, you’ll be able
to see if you’re using default passwords, have exposed instances / instances
which allow for anonymous user access, secret rotation misconfigured, and more.
You can see an example from a test environment below.
This is aimed to both continuously audit the environment against compliance best
practices and give you the capability to automatically detect and remediate the
misconfigurations that are putting you at actual risk, like in the case
described in this blog. Users have also expressed that this is extremely handy
in cases where they have a wide CI/CD tech stack; instead of having to manually
check each of their instances regularly (we found that most companies leverage a
variety of different tools and instances for their regular development
operations), the tool applies the security standard and validates it across the
entire development organization; no matter how wide or complex.
CONCLUSION AND MITIGATION
At Aqua Nautilus, we often engage with organizations to gain insights into their
current cloud security practices. In these discussions, it’s clear that many
security professionals, including CISOs, security engineers, DevOps engineers,
and application security experts, do not fully grasp the significant and
damaging impact that a single misconfiguration can have. Despite claims of
hardening their environments, many remain unaware of the risks associated with
cloud misconfigurations.
We began our research with the goal of better understanding who is behind
exposed and misconfigured registries and the potential impact of a skilled
attacker. The findings were both surprising and concerning.
Our research also highlights how important it is for an organization to have a
security responsible disclosure program in place. This program is designed to
allow security researchers to report in a structured manner any potential
vulnerabilities they discovered in company’s products. This way, it enables an
organization to quickly address and resolve security issues before they can be
exploited by malicious actors.
In our research, we used this program to disclose severe misconfigurations.
Nautilus found that organizations with existing responsible disclosure programs
were able to fix a misconfiguration in less than a week. However, for
organizations without such a program in place, the process was more difficult
and time-consuming.
To sum it up, a security responsible disclosure program is a crucial tool that
helps organizations protect their systems, data, and reputation from cyber
threats. It’s vital that organizations establish or add a dedicated email
address and a focal point on their website to facilitate the reporting of
potential security issues.
Our main takeaway from this research is that everyone should invest more in
detecting and mitigating cloud-native environment risks. To effectively reduce
the risks associated with exposed container registries and artifact registries,
it’s essential to take the following steps:
1. Secure the repositories with network controls such as a VPN or firewall.
This can help to protect the repositories from external threats and reduce
the risk of unauthorized access.
2. Implement strong authentication and authorization measures. This includes
using strong passwords, two-factor authentication, SSO and replacing default
passwords.
3. Regularly rotate keys, credentials, and secrets. This includes periodically
changing passwords, access keys, and other forms of authentication and
authorization to prevent unauthorized access.
4. Implement least privilege access controls and scoping, assigning the
appropriate level of access to different roles especially for anonymous
access and restricting access to specific repositories and artifacts as
needed.
5. Regularly scan for sensitive data. This includes scanning artifact and
container registries for known vulnerabilities and secrets and conducting
regular security assessments in the repositories. It’s important to promptly
address and mitigate any vulnerabilities and rotate any exposed secrets in
order to prevent exploitation by attackers.
By implementing these best practices, organizations can effectively mitigate the
risks of exposing their registries and artifact repositories and protect against
potential security threats. Download a full list of recommendations to mitigate
risk from exposed registries & artifact repositories here.
Disclosure Timeline
* End of November 2022 – First disclosure of a severe risk
* December 2022- Reaching out to the majority of the companies found at risk
* January 2023 – Finding the Healthcare organization and sealing the breach
* January - April 2023 – 3 months period requested by companies to apply full
root cause analysis including mitigation.
Subscribe for Security Alerts
Learn about discovered new vulnerabilities, threats, and attacks that target
containers, Kubernetes, serverless, and public cloud infrastructure
Thanks! Stay tuned for updates
Our research has highlighted the importance of organizations having a security
responsible disclosure program in place. This program allows security
researchers to report any potential vulnerabilities they have discovered in a
structured manner, enabling the organization to quickly address and resolve the
issue before it can be exploited by malicious actors. Our research found that,
on average, it took only 1.5 days for organizations with responsible disclosure
programs to close a misconfiguration once it was reported. However, for
organizations without such a program in place, it was a more difficult and
time-consuming process. Overall, a security responsible disclosure program is a
vital tool that helps organizations to better protect their systems, data, and
reputation from cyber threats. It is crucial that organizations establish or add
a dedicated email address and a focal point in their website to facilitate the
reporting of potential security issues
MOR WEINBERGER
Mor is a Staff Software Engineer at Aqua Security. With vast experience in
analyzing cloud native security and supply chain threats. He recently worked
alongside CIS to co-create the industry’s first formal guidelines for software
supply chain security and led the development of an open source tool that audits
and ensures compliance with the guidelines. Mor regularly uncovers new and
emerging threats such as cryptomining campaigns and shares his research with the
community. Mor was part of the Argon Security team acquired by Aqua in 2021.
Prior to joining Argon Security, he worked at one of the leading cloud
providers. Today, he focuses on developing innovative software supply chain
security projects and fusing them into the CNAPP platform.
ASSAF MORAG
Assaf is a Lead Data Analyst at Aqua Nautilus research team, he focuses on
supporting the data needs of the team, obtaining threat intelligence and helping
Aqua and the industry stay at the forefront of new threats and methodologies for
protection. His work has been published in leading info security publications
and journals across the globe, and most recently he contributed to the new MITRE
ATT&CK Container Framework.
Security Threats, DevSecOps, CI/CD, Software Supply Chain Security
READ MORE
First Name
Last Name
Email*
Comment*
UTM_Source
UTM_Campaign
UTM_Medium
UTM_Content
UTM_Term
GCLID
SUBSCRIBE TO EMAIL UPDATES
Email Address*
Notification Frequency
UTM_Source
UTM_Campaign
UTM_Medium
UTM_Content
UTM_Term
POPULAR POSTS
* A Brief History of Containers: From the 1970s Till Now
* Top 20 Docker Security Best Practices: Ultimate Guide
* Protecting Kubernetes Secrets: A Practical Guide
* Which Kubernetes Management Platform is Right for You?
* Threat Alert: Kinsing Malware Attacks Targeting Container Environments
FILTER BY TOPIC
* Container Security (110)
* Kubernetes Security (93)
* Cloud Native Security (81)
* Security Threats (80)
* Image Vulnerability Scanning (49)
* Aqua Open Source (47)
* AWS Security (35)
* Docker Security (35)
* Runtime Security (35)
* Vulnerability Management (34)
* Software Supply Chain Security (25)
* CSPM (24)
* Cloud compliance (24)
* Container Vulnerability (24)
* DevSecOps (23)
* Aqua Security (17)
* CI/CD (17)
* CNAPP (16)
* Secrets (12)
* Supply Chain Attacks (12)
* Application Security (11)
* Serverless-Security (11)
* ebpf (10)
* Host Security (9)
* Advanced malware protection (8)
* Cloud security conferences (8)
* Fargate (8)
* Kubernetes (8)
* Cloud Workload Protection Platform CWPP (7)
* Hybrid Cloud Security (7)
* Malware Attacks (7)
* Attack Vector (6)
* Container platforms (6)
* Google cloud security (6)
* OpenShift (6)
* SBOMs (6)
* Secure VM (6)
* Security Policy (6)
* Infrastructure-as-Code (IaC) (5)
* Security Automation (5)
* Windows Containers (5)
* Azure security (4)
* Cloud security (4)
* Docker containers (4)
* Kubernetes RBAC (4)
* Service Mesh (4)
* Container Deployment (3)
* IBM Cloud (3)
* Microservices (3)
* Nano-Segmentation (3)
* Agentless Security (2)
* FaaS (2)
* Network Firewall (2)
* VMware Tanzu (2)
* code security (2)
* Advanced Threat Mitigation (1)
* Cloud VM (1)
* Drift Prevention (1)
* Kubernetes Authorization (1)
* Network (1)
* shift Left security (1)
Show more...
Aqua Container Security
Aqua Security is the largest pure-play cloud native security company, providing
customers the freedom to innovate and accelerate their digital transformations.
The Aqua Platform is the leading Cloud Native Application Protection Platform
(CNAPP) and provides prevention, detection, and response automation across the
entire application lifecycle to secure the supply chain, secure cloud
infrastructure and secure running workloads wherever they are deployed.
Aqua customers are among the world’s largest enterprises in financial services,
software, media, manufacturing and retail, with implementations across a broad
range of cloud providers and modern technology stacks spanning containers,
serverless functions and cloud VMs.
Copyright © 2023 Aqua Security Software Ltd.
Use Cases
* Automate DevSecOps
* Modernize Security
* Compliance and Auditing
* Serverless Containers & Functions
* Hybrid and Multi Cloud
Environments
* Kubernetes Security
* OpenShift Security
* Docker Security
* AWS Cloud Security
* Azure Cloud Security
* Google Cloud Security
* VMware PKS Security
Contact Us
* Contact Us
* Contact Support
Products
* Aqua Cloud native security
* Open Source Container Security
* Platform Integrations
Resources
* Live Webinars
* O’Reilly Book: Kubernetes Security
* Cloud native Wiki
About Us
* About Aqua
* Newsroom
* Careers
The Agent vs Agentless Debate is Over!
Read More
Subscribe to the blog
Get the latest cloud native insights from our experts!
email address
Sign Up
Thank you!