Researchers with Shadowserver Foundation have discovered more than 380,000 open Kubernetes API servers exposed on the Internet. That represents 84% of all global Kubernetes API instances observable online.
The research was conducted across IPv4 infrastructure using HTTP GET requests. The researchers didn’t do any intrusive checks to figure out exactly the level of exposure that the servers exhibited, but the findings suggest potential trouble across this landscape.
“While this does not mean that these instances are fully open or vulnerable to an attack, it is likely that this level of access was not intended, and these instances are an unnecessarily exposed attack surface,” according to the Shadowserver report. “They also allow for information leakage on version and builds.”
The densest cluster of exposed API servers was found in the US, where some 201,348 of these open API instances were discovered. That accounts for 53% of the total open servers found.
This report is yet more evidence in a growing body of research around API security that shows many organizations are unprepared to protect against, respond to, or even have visibility into potential API attacks.
Data Breaches via API Incidents
According to the recent "State of API Security 2022" report from Salt Security, approximately 34% of organizations have absolutely no API security strategy in place, and an additional 27% say that they have just a basic strategy that involves minimal scanning and manual reviews of API security status and no controls or management over them. Another study, from 451 Research on behalf of Noname Security, found that 41% of organizations had an API security incident in the last 12 months. Of those, 63% involved a data breach or data loss.
The scope of the potential API attack surface in modern application and cloud infrastructure is huge. According to the 451 Research study, large enterprises on average have more than 25,000 APIs connected to or operating within their infrastructure. The number is set to keep growing, and in a recent Gartner Predicts 2022 document, analysts say they believe that less than 50% of enterprise APIs will be managed three years from now “as explosive growth in APIs surpasses the capabilities of API management tools."
The Kubernetes exposure found by Shadowserver is evidence for a particularly acute problem in cloud security today. APIs are often one of the weakest links in cloud infrastructure management because they are usually at the heart of the control plane that handles configuration of cloud infrastructures and applications.
“All cloud breaches follow the same pattern: control plane compromise. The control plane is the API’s surface that configures and operates the cloud. APIs are the primary driver of cloud computing; think of them as 'software middlemen' that allow different applications to interact with each other,” explains Josh Stella, chief architect at Snyk and the founder of Fugue, which was recently acquired by Snyk. “The API control plane is the collection of APIs used to configure and operate the cloud. Unfortunately, the security industry remains a step behind the hackers because many vendor solutions do not protect their customers against attacks that target the cloud control plane.”
In the Predicts piece, Gartner analysts agree that newly created APIs that are churning into the scene are an integral part of the emerging cloud and application architectures that are at the heart of the modern continuous delivery model of application development.
“This situation resembles the early days of infrastructure as a service (IaaS) deployment, as ungoverned API usage is on the rise. As the architecture and operational technologies continue to mature, security controls try to apply old paradigms to new problems,” according to Gartner. “These controls can be a temporary solution, but it will take a long time for security controls and practices to catch up with the new architecture paradigm.”