Shadowserver Foundation researchers have discovered more than 380,000 open Kubernetes API servers offered on the Internet. This represents 84% of all global Kubernetes API instances that can be observed online.
The search was performed across the IPv4 infrastructure using HTTP GET requests. The researchers didn’t do any intrusive checks to see exactly what level of exposure the servers showed, but the results indicate a potential problem across this landscape.
According to the Shadowserver report, “While this does not mean that these instances are completely open or vulnerable to attack, it is possible that this level of access was not intended, and these instances are an unnecessarily exposed attack surface.” “It also allows information to be leaked on version and builds.”
The densest collection of exposed API servers is found in the US, with about 201,348 such open API instances detected. This represents 53% of all open servers out there.
This report is further evidence in a growing body of research on API security that shows that many organizations are unwilling to protect against, respond to, or even learn about potential API attacks.
Data breaches via API incidents
According to the recent “API Security Status 2022” report from Salt Security, approximately 34% of organizations do not have an API security strategy in place, and another 27% say they have only a basic strategy that includes minimal manual checking and reviews of the API security status and no controls or manage them. Another study, from 451 Research on behalf of Noname Security, found that 41% of organizations had an API security incident in the past 12 months. Of those, 63% were implicated in a data breach or data loss.
The scope of the potential API attack surface in modern applications and cloud infrastructure is huge. According to a 451 Research study, on average large organizations have more than 25,000 APIs connected or running within their infrastructure. The number is set to continue to grow, and in a recent Gartner Predicts 2022 document, analysts say they believe less than 50% of enterprise APIs will be managed three years from now “as explosive growth in APIs is outpacing the capabilities of enterprise management tools.” application programming interface.”
The Kubernetes exposure that Shadowserver found is evidence of a particularly acute problem in cloud security today. APIs are often one of the weakest links in managing cloud infrastructure because they are usually at the heart of the level of control that deals with configuring cloud infrastructures and applications.
“All cloud penetrations follow the same pattern: leveling the control plane. The control plane is the surface of the API that configures and operates the cloud. APIs are the primary driver of cloud computing; think of them as “software intermediaries” that allow different applications to interact with each other,” Josh Stella, Snyk’s chief architect and founder of Fugue, recently acquired by Snyk, explains. “An API control plane is a set of APIs used to configure and operate the cloud. Unfortunately, the security industry is still left behind by hackers because many vendor solutions do not protect their customers from attacks targeting the cloud control plane.”
In the Predicts article, Gartner analysts agree that newly created APIs that move in the landscape are integral to the emerging cloud and application architectures that are at the heart of the modern continuous delivery model for application development.
“This situation is similar to the early days of Infrastructure-as-a-Service (IaaS) deployment, where the use of the Ungoverned API is increasing. As architecture and operational technologies continue to mature, security controls attempt to apply old paradigms to new problems,” according to Gartner. “These controls could be a temporary solution, but it will take a long time for the security controls and practices to catch up with the new architecture paradigm.”