Misconfigured registries are putting hundreds of top businesses at risk
Millions of artifacts and container images have been found exposed on the public internet via thousands of misconfigured Red Hat Quay registries, JFrog Artifactory, or Sonatype Nexus artifact registries. Many of these held confidential and sensitive proprietary code, placing those companies at enormous risk of data leaks and cyberattacks.
A new report from the Aqua Nautilus research team found 250 million artifacts and 65,600 container images were exposed, leaving five Fortune 500 companies, as well as “thousands of others”, at risk.
Among the firms at risk were IBM, Alibaba, Siemens, and Cisco, the researchers said.
Surprising and highly concerning
Being “crucial elements” within the software supply chain, registries and artifact management systems are major targets for cybercriminals. Aqua Security claims many organizations are unaware, or unable to control, sensitive information and secrets that leak into these registries, and should hackers gain access – it could spell huge trouble for the target firms. As per the researchers, there are organizations that did not properly secure these highly critical environments.
“The findings were both surprising and highly concerning,” commented Assaf Morag, lead threat researcher for Aqua Nautilus.
The researchers found sensitive keys, such as secrets, credentials, or tokens, on 1,400 distinct hosts, and private sensitive addresses of endpoints (opens in new tab), such as Redis, MongoDB, PostgreSQL, or MySQL, on 156 hosts. Furthermore, they found 57 registries with critical misconfiguration and 15 of these allowed admin access with the default password. More than 2,100 artifact registries had upload permissions.
To protect their premises, and the sensitive data residing there, Nautilus recommends businesses check if any registries or artifact management systems are exposed to the internet, and check if the ones connected to the internet by design aren’t critically vulnerable. Businesses should also verify that the anonymous user is disabled.