Researchers on Tuesday detected a series of new attacks against Kubernetes clusters via misconfigured Argo Workflows instances.
In a blog post, Intezer researchers said they found a number of unprotected instances that contain sensitive information such as code, credentials and private container image names while studying exposed Argo Workflows instances.
In instances where permissions are misconfigured, the researchers said it’s possible for an attacker to access an open Argo dashboard and submit their own workflow. In one cluster, the Intezer team found that kannix/monero-miner was deployed, a popular cryptocurrency mining container.
Applications such as Argo Workflows help orchestrate parallel jobs in Kubernetes by providing a friendly user interface and the ability to run continuous integration/continuous delivery (CI/CD) pipelines without having to configure complex software products. The researchers said even with products like Argo helping to reduce the complexity of deployment, there’s still always the possibility of misconfiguration or exploitation.
Gartner has reported that through 2025, more than 99% of cloud breaches will have a root cause of customer misconfigurations or mistakes — and Kubernetes is no exception, pointed out Yaniv Bar-Dayan, co-founder and CEO of Vulcan Cyber.
“Unfortunately, misconfigurations are just one type of risk-inducing vulnerability, and cloud has become just one attack vector that needs to be tracked and mitigated,” Bar-Dayan said. “IT security teams need a consolidated view of risk across cloud application environments as well as traditional IT infrastructure. Then they need a plan to prioritize and mitigate this risk.”
The Kubernetes vulnerability serves to show how the growing complexity of orchestrated, containerized cloud solutions can quickly get out of control if not managed well, said Andrew Barratt, managing principal, solutions and investigations at Coalfire. Barratt said misconfigurations have become one of the largest causes of vulnerabilities across the board, and orchestration platforms are a really interesting attack surface because of what attackers can leverage.
“In theory they could allow an adversary to perform very sophisticated lateral attacks entirely leveraging the scale of native cloud services,” Barratt said. “We shouldn’t stop using them, they provide huge levels of automation and can simplify very complex operational deployments. However, it’s really important to see them as a sophisticated attack platform, with a lot of capabilities and typically elevated privileges as well as often the ability to build and deploy resources with an immediate cost associated.”
Chuck Everette, director of cybersecurity advocacy at Deep Instinct, said as the need for workflow automation and the use of Kubernetes grows, the opportunities for threat actors to gain access increases because the attack surfaces grow along with the demand. Everette said like any tool, the more demand and use of it, the larger the target becomes.
“As the past years have shown, a basic misconfiguration can open the doors for cybercriminals and lead to them taking advantage of these weaknesses,” Everette said. “We have seen multiple high-profile cases of cryptojacking and data theft, leveraging misconfigurations in Kubernetes, such as the Capital One, Tesla, and Microsoft Azure to name a few. Security is everyone’s responsibility, no longer just the application or the hardware owners. The client, the cloud provider, Kubernetes manager, application owners, and security teams all have a role in ensuring that your Kubernetes environments are secure and monitored properly."