Shadowserver Foundation researchers have discovered more than 380,000 open Kubernetes API servers exposed on the Internet. That represents 84% of all global Kubernetes API instances that are observable online.
The research was conducted over the IPv4 infrastructure using HTTP GET requests. The researchers didn’t run intrusive checks to pinpoint the servers’ exposure levels, but the findings suggest potential problems in this landscape.
While this does not mean that these instances are completely open or vulnerable to attack, it is likely that this level of access was not intended, and these instances present an unnecessarily exposed attack surface. Shadow server report† “They’re also leaking version and build information.”
The densest cluster of exposed API servers was found in the US, where some 201,348 of these open API instances were discovered. That accounts for 53% of the total number of open servers found.
This report is further evidence in a growing body of research around API Security showing that many organizations are unprepared to protect against, respond to, or even have visibility into potential API attacks.
Data breaches via API incidents
According to the recent “State of API Security 2022Report from Salt Security, about 34% of organizations have absolutely no API security strategy, and another 27% say they have just a basic strategy that involves minimal scans and manual assessments of API security status and no controls or management over them . Another study, from 451 Research on behalf of Noname Security, found that 41% of organizations had an API security incident in the past 12 months. Of these, 63% had to do with a data breach or data loss.
The size of the potential API attack surface in modern applications and cloud infrastructure is enormous. According to the 451 Research study, large enterprises have, on average, more than 25,000 APIs connected to or operating within their infrastructure. The number is expected to continue to grow, and in a recent Gartner predicts 2022 document, analysts say they believe less than 50% of enterprise APIs will be managed in three years’ time “as the explosive growth of APIs exceeds the capabilities of API management tools.”
The exposure to Kubernetes found by Shadowserver is evidence of a particularly acute problem in cloud security today. APIs are often one of the weakest links in cloud infrastructure management, as they usually form the core of the control plane that handles the configuration of cloud infrastructures and applications.
“All cloud breaches follow the same pattern: compromise with control aircraft. The control plane is the surface of the API that configures and operates the cloud. APIs are the main driver of cloud computing; think of them as ‘software intermediaries’ that allow different applications to communicate with each other,” explains Josh Stella, chief architect at Snyk and the founder of Fuga, which was recently acquired by Snyk. “The API control plane is the collection of APIs used to configure and operate the cloud. Unfortunately, the security industry is lagging behind the hackers as many vendor solutions fail to protect their customers from attacks targeting the cloud control plane. ”
In the Predicts piece, Gartner analysts agree that newly created APIs that are emerging are an integral part of the emerging cloud and application architectures that are at the heart of the modern continuous delivery model of application development.
“This situation resembles the early days of Infrastructure as a Service (IaaS) implementation, as uncontrolled API usage is on the rise. As architecture and operational technologies mature, security controls seek to apply old paradigms to new problems,” said Gartner. “These controls may be a temporary solution, but it will take a long time for security controls and practices to catch up with the new architecture paradigm.”