Aqua Security’s Nautilus Research Team has detected major vulnerabilities in some of the world’s largest organizations, including five Fortune 500 companies operating with a misconfigured registry with hundreds of millions of software artifacts exposed, including confidential and sensitive proprietary code and secrets. The exposed registries and artifact repositories contain over 250 million artifacts and over 65 thousand container images.

Here misconfigurations such as mistakenly connecting registry to the internet, exposing secrets to public registries, using default passwords, granting high privileges to users, and more can put both businesses and customers at significant risk. In some cases, anonymous user access has been granted, allowing a potential attacker to gain sensitive information, such as secrets, keys, and passwords. This can lead to a severe software supply chain attack and poisoning of the software development lifecycle (SDLC).

This research primarily focuses on software supply chain attacks and how threat actors exploit registries. Registries are a crucial part of the software supply chain in the cloud, and organizations need to pay attention to them.

Registries, Repositories, and Artifact Management Systems

Registry, repositories, and artifact management systems are different types of development and operation software used in package management. A registry is a central location for storing and managing packages, while a repository is a collection of packages within a registry. An artifact management system is a tool for managing binary files such as JAR files. The main difference is that a registry is a general term for storing and managing packages, a repository is a specific collection within a registry, and an artifact management system is a type of registry for managing binary files.

The cloud has a vast attack surface, with numerous potential entry points that attackers can use to access a cloud environment. The Aqua Nautilus research team focused on software supply chain attacks, specifically how threat actors exploit registries. Registries are a crucial part of the software supply chain in the cloud, and organizations often do not pay enough attention to them. Attackers can propagate and potentially exploit the entire SDLC if they gain access to registries.

Misconfigurations in Registries

Artifact management systems and container registries are sometimes connected to the internet deliberately and by design, allowing anonymous users to connect to various areas in the registry or even to the entire registry. This design allows global teams, customers, and other stakeholders access to open-source software shared across the company or with outside users. In some cases, restricted environments are accidentally shared with anonymous users, while in other cases, teams accidentally publish sensitive information to public areas.

Key Findings

In our research, we found multiple container image registries and Quay registries. In addition, we also found Sonatype-Nexus registries and JFrog artifactories that were publicly accessible on the internet. An accessible over-the-internet registry is one that is connected to the internet and can be accessed at least as far as the login page. An anonymous user access registry can be accessed with anonymous read and/or write privileges.

Our research was conducted from an attacker's perspective, where we examined how an attacker could gain initial access and how far they could move laterally across the cloud development pipeline. Aqua Security discovered several misconfigurations that could lead to a severe security breach:

• Exposure of registries and artifactories
• Exposing secrets to public registries
• Misconfiguration of registry access control
• Using default passwords
• Granting high privileges to users

The most critical misconfiguration found was exposing sensitive data to the public. In 1,400 distinct hosts, Aqua Security found at least one sensitive key, including secrets, credentials, tokens, and 156 hosts that exposed sensitive private addresses of endpoints, such as Redis, MongoDB, PostgreSQL, MySQL, and others.

The consequences of these misconfigurations are severe, as they allow attackers to gain sensitive information, such as secrets, keys, and passwords, which could lead to a severe software supply chain attack and poisoning of the SDLC. These misconfigurations are easy to fix with simple best practices such as restricting access, using strong passwords, and removing anonymous access.

Corporate Response

Aqua Security has reported its findings through designated channels to the security teams of companies such as IBM, Cisco, Siemens, and Alibaba and found that the security teams were eager to learn from their discoveries, take immediate corrective action, and seek out long-term solutions. However, some major corporations ignored the warnings, which puts both their businesses and customers at risk!

Exposure of Registries & Artifactories

In some cases, restricted environments are accidentally shared with anonymous users; in other cases, teams accidentally publish sensitive information to public areas. Aqua Security’s Nautilus Research Team discovered that some organizations fail to properly secure these highly critical environments, leaving them exposed to the internet and vulnerable to exploitation, which can lead to severe and damaging attacks.

Total Registries

The team detected thousands of exposed registries and artifact repositories containing over 250 million artifacts and over 65 thousand container images. On 1,400 distinct hosts, the team found at least one sensitive key, such as keys, secrets, credentials, or tokens, and on 156 hosts, they found sensitive private addresses of end-points such as Redis, MongoDB, PostgreSQL, MySQL, and others.

Anonymous Access

The team discovered that anonymous access to registries could pose a risk, particularly in certain scenarios. Anonymous access can be considered a misconfiguration issue in some tools, while in others, it is a built-in feature intended to make the cloud SLDC easier for organizations.