Misconfigured container services are a security risk

The Unit 42 threat intelligence research team at Palo Alto Networks has identified more than 40,000 unique container hosting devices that have default container configurations, which can be a “significant security risk” for organisations.

Searches using the open source Shodan search engine found that the Kubernetes and Docker container platforms have more than 20,000 unique instances apiece, reveals a blog post on the research.

Although not all misconfigured platforms are vulnerable to exploits or the leakage of sensitive data, the researchers said the finding highlights that basic misconfiguration practices exist and can make organisations targets for further compromising events.

“Seemingly simple misconfigurations within cloud services can lead to severe impacts on organisations,” says the blog post, giving the example of the theft of keys and tokens for about 190,000 Docker accounts in April 2019, when an attacker was able to exploit weak security configurations of key and token storage within a cloud environment.

Further research by Unit 42 into some of the exposed Kubernetes and Docker instances to see what services were exposed and what information is being leaked, revealed sites exposing database instances to the public and sites easily exposing personal information.

To avoid common methods used by attackers to gather data, Unit 42 researchers recommend that organisations use orchestration platforms that provide configuration functionality for containers and can provide policy enforcement for the platform.

This functionality covers security or audit logging, role-based access control, and network connection enforcement for cloud infrastructure. Unit 42 said: “Selecting the appropriate orchestration platforms or service providers can greatly assist in the security of cloud containers.”

Other recommendations to improve the overall security of container platforms include:

• Investing in cloud security platforms or managed services that focus on container security strategies.
• Limiting access to services hosted on containers to internal networks, or prior designated personnel, through the use of firewall controls or container platform network policies.
• Establishing basic authentication requirements for Docker and Kubernetes containers.
• Identifying the type of data stored or managed within each container and using the appropriate security practices to keep these data types secure.
• Isolating services to their own containers.

Misconfigurations, such as using default container names and leaving default service ports exposed to the public, leave organisations vulnerable to targeted reconnaissance, the researchers said.

However, using the proper network policies, or firewalls, can prevent internal resources from being exposed to the public internet.

“Additionally, investing in cloud security tools can alert organisations to risks within their current cloud infrastructure,” the researchers said, reiterating that recent security breaches have shown that organisations operating in the cloud face great risks.