Security researchers at Cyble detected over 900,000 misconfigured Kubernetes clu...
Cyble security researchers have [detected](https://blog.cyble.com/2022/06/27/exposed-kubernetes-clusters/) over 900,000 misconfigured Kubernetes clusters that were publicized online, exposed to malicious scanning, some of which were even vulnerable to data-exposure hacks.
According to their findings throughout the investigation to discover vulnerable Kubernetes instances across the Internet, employing the same scanning tools and search queries as malicious actors.
While there are a staggering 900,000 Kubernetes servers, with 65% of them (585,000) placed in the United States, 14 percent in China, 9 percent in Germany, and 6 percent each in Netherlands and Ireland.
The servers with the most exposed TCP ports were "443" (just over one million instances), "10250" (231,200 instances), and "6443" (84,400 instances).
It is crucial to note that not all of these exposed clusters are exploitable, and even among those that are, the level of danger varies based on the design of each individual cluster.
Cyble audited the error codes issued by the Kubelet API in response to unauthenticated calls in order to determine how many exposed instances posed a substantial danger.
The great majority of exposed instances return error code 403, indicating that the unauthenticated request is prohibited and cannot proceed, preventing any attacks against them.
Then there is a subset of around 5,000 instances that respond with error code 401, indicating that the request is denied.
However, this answer alerts a potential attacker that the cluster is operational, allowing them to launch additional exploits and vulnerabilities-based assaults.
The remaining 799 Kubernetes instances that return status code 200 are entirely accessible to external attackers.
In such instances, threat actors can access nodes on the Kubernetes Dashboard without a password, gain access to all secrets, and do other actions.
While the number of vulnerable Kubernetes servers is relatively limited, all it takes is the discovery of a remotely exploitable flaw for a far higher number of devices to become susceptible to attack.
Consult the NSA and CISA's recommendations for tightening your Kubernetes system's security to verify that your cluster is not among the 799 or the 5,000 instances that are less severely vulnerable.
The [Shadowserver Foundation](http://www.shadowserver.org/news/over-380-000-open-kubernetes-api-servers/) published a report on exposed Kubernetes instances in which they found 381,645 distinct IPs replying with an HTTP status code of 200 last month.
The reason for this mismatch, according to Cyble, is that they employed open-source scanners and simple queries that could be accessed by any threat actor. Shadowserver, on the other hand, scanned the whole IPv4 address space and monitored daily for any additions.
"The statistics supplied in the Kubernetes blog produced by our organization are derived from Open-source scanners and queries accessible for the product. Cyble noted that searches were conducted using the keywords "Kubernetes", "Kubernetes-master", "KubernetesDashboard", "K8", and favicon hashes along with status codes 200,403, and 401.
"According to their blog post on Kubernetes, the Shadowserver uses a different method for locating the exposure: 'We scan daily with an HTTP GET request using the /version URI. We scan the entire IPv4 address space using ports 6443 and 443. We only include Kubernetes servers that answer with 200 OK (along with a JSON response) and disclose version information in their responses.'"
"Because we do not scan the entire IPv4 area like Shadowserver and rely on open-source intelligence, our results differ from those of Shadowserver."
Cyble's stats may not be as striking, but they are crucial because they correspond to Kubernetes clusters that are extremely simple to detect and attack.