The admin consoles of over 22,000 container orchestration and API management systems are currently exposed online, according to a report published on Monday by Lacework, a company specialized in cloud security.
In its report, the company analyzed the breadth of the problem of cloud management systems left exposed online, focusing on container orchestration systems, such as Kubernetes, Docker Swarm, Mesos Marathon, Redhat Openshift, Portainer.IO, and Swarmpit.
These are web-based administration panels that system administrators in small and large companies alike use to manage container-based cloud infrastructure inside their companies.
By default, these systems don't need to be exposed online, unless a company has staff spread across large geographical areas who need access to these systems to manage their infrastructure.
But Lacework researchers warn that many of these systems aren't properly secured behind firewalls or restricted to virtual private networks (VPNs), meaning anyone can find them with basic pen-testing tools or with IoT search engines like Shodan.
"Although the vast majority of these management interfaces have credentials set up, there is little reason why they should be world-accessible and are far more vulnerable than they should be," Lacework says.
"These nodes are essentially openings to these organization’s cloud environments to anyone with basic skills at searching the web," the company added. "These organizations, and the others who will
replicate their mistakes, are opening themselves up to brute force password and dictionary attacks."
Lacework says it found 22,672 of these container orchestration management panels exposed online, of which, 305 had no password set up.
Researchers also discovered 38 Kubernetes servers running a security & health check service called "healthz" that was also left with no authentication at all.
Over 95 percent of these containers were hosted on Amazon's Web Services (AWS) infrastructure, and 58 percent of these were hosted on an AWS US region.
More than three-quarters of these exposed panels were running Kubernetes instances, according to a graph compiled based on the Lacework research.
For the past few years, infosec news sites have constantly been reporting of breaches caused by sysadmins forgetting to set a password for their MongoDB, ElasticSearch, Kubernetes, —and so on— servers.
The Lacework report, which also includes basic advice for avoiding such exposures and hardening container management panel security, highlights a growing trend in today's IT landscape where many system administrators appear to have forgotten what passwords, firewalls, and access control lists (ACLs) are good for.