June 29, 2022

Cyble researchers have uncovered a massive 900,000 badly configured Kubernetes servers that are vulnerable on the internet. 65% (585,000) of these servers are located in the United States, 14% in China, 9% in Germany and 6% each in the Netherlands and Ireland.

Among the exposed servers, the most exposed TCP ports were “443” with just over a million instances, “10250” with 231, 200, and “6443” with 84,400 results.

The researchers clarified that not all the exposed servers can be exploited by attackers. The risk varies depending on the individual configuration.

The researchers evaluate the error codes returned to the Kubelet API for the unauthenticated requests to assess how many of the exposed instances may be at significant risk.

Most of exposed server instances return the error code 403, which means that the unauthenticated request is forbidden and cannot be traversed, so attacks against it cannot occur.

“The stats provided in the Kubernetes blog that is published from our end is on the basis of Open-source scanners and the Queries available for the product. As mentioned in the blog, we have searched on the basis of queries “Kubernetes,” “Kubernetes-master,” “KubernetesDashboard,” “K8″ and favicon hashes along with status codes 200,403 & 401,” Cyble explained.

The sources for this piece include an article in BleepingComputer.