Security News > 2022 > June > Over 900,000 Kubernetes instances found exposed online
Over 900,000 misconfigured Kubernetes clusters were found exposed on the Internet to potentially malicious scans, some even vulnerable to data-exposing cyberattacks.
Researchers at Cyble have conducted an exercise to locate exposed Kubernetes instances across the itnernet, using similar scanning tools and search queries to those employed by malicious actors.
To evaluate how many of the exposed instances might be at significant risk, Cyble looked into the error codes returned to the unauthenticated requests to the Kubelet API. The vast majority of the exposed instances return error code 403, meaning the unauthenticated request is forbidden and can't go through, so no attacks can transpire against them.
Finally, there's a small subset of 799 Kubernetes instances that return a status code 200, which are completely exposed to external attackers.
Last month, The Shadowserver Foundation released a report on exposed Kubernetes instances where they discovered 381,645 unique IPs responding with a 200 HTTP error code.
"The Shadowserver takes a different approach for finding the exposure as per their blog on Kubernetes 'We scan daily with a HTTP GET request using the /version URI. We scan all of the IPv4 space on ports 6443 and 443. We include only Kubernetes servers that respond with a 200 OK, and hence disclose version information in their response.'".