According to Aqua Nautilus, researchers have found thousands of misconfigured artifact repositories and container image registries, exposing organizations to potentially serious software supply chain attacks.
Security vendors have found over 250 million software artifacts and over 65,000 container images exposed in this manner, putting some of the world’s largest companies at risk, including Fortune 500 companies.
Artifact management systems and container registries are often intentionally connected to the Internet, allowing anonymous users to connect, allowing stakeholders around the world to access open source software. However, this is not always the case.
The report uncovers cases where “restricted environments were accidentally shared with anonymous users,” and where teams “accidentally exposed sensitive information to public areas.”
For more information on software supply chain risks, see Software Supply Chain Attacks Surge 742% in 3 Years.
Misconfigurations discovered by the Aqua Nautilus team included incorrectly connecting the registry to the Internet, exposing sensitive information to public registries, using default passwords, and granting users excessive privileges. rice field. We also found instances of private container image registries misconfigured to allow anonymous access and instances where anonymous access was built in as a feature.
“We found 57 registries with critical vulnerabilities such as default administrator passwords, 15 of which allowed administrator access with default passwords,” the report notes. “We have detected over 2100 artifacts with upload permissions in his registry, which may allow an attacker to poison the registry with malicious code.”
Small, medium, and large organizations around the world, including 10 Fortune 500 companies, were exposed in this manner. Five of those companies had registries containing highly sensitive information that was either made public or allowed anonymous access. Researchers also found two of his cybersecurity companies with sensitive information exposed in their registries.
Aqua Nautilus recommends companies reduce risk to cloud-native environments by:
- Securing repositories with network controls such as VPNs and firewalls
- Add strong authentication and authorization, such as strong passwords and two-factor authentication
- Regularly rotate keys, credentials, and secrets
- Restrict access to specific repositories and artifacts as needed and implement least privilege access control
- Regularly scan sensitive data with known vulnerabilities and secrets and conduct regular security assessments of repositories
Worryingly, some of the vendors contacted by the researchers actively engaged and took corrective action, while other “big companies” ignored their warnings.
