Over 2K Publicly Accessible Etcd Servers Leak Sensitive Credentials

After publicly exposed MongoDB databases, Amazon AWS S3 buckets and Redis instances, researchers now warn that a considerable number of etcd servers are also publicly accessible and contain sensitive credentials that could provide access to additional systems.

The warning came late last week from security researcher Giovanni Collazo, who found 2,284 etcd servers reachable from the internet and which were accessible without authentication through the standard etcd API.

“I did a simple search on shodan and came up with 2,284 etcd servers on the open internet,” Collazo said in a blog post. “So I clicked a few and on the third try I saw what I was hoping not to see. CREDENTIALS, a lot of CREDENTIALS. Credentials for things like cms_admin, mysql_root, postgres, etc.”

The researcher then wrote a simple script that connected to the servers and read all of their data—the equivalent of a database dump. He stopped the script after iterating through 1,485 servers and collecting 750MB of data. The data contained 8,781 passwords, 650 access keys for AWS accounts, 23 secret keys and 8 private keys.

“I did not test any of the credentials but if I had to guess I would guess that at least a few of them should work and this is the scary part,” the researcher said. “Anyone with just a few minutes to spare could end up with a list of hundreds of database credentials which can be used to steal data, or perform ransomware attacks.”

A DevOps manager named Bradley Wilson-Hunt pointed out on Twitter that etcd is used by Kubernetes, a very popular container orchestration tool, as the default backing store for all cluster data.

“After cheking (sic) a few… the ammount (sic) of etcd’s (sic) which are being used for kubernetes (sic) is scary,” Wilson-Hunt said.

Etcd is a distributed key-value store for critical data such as credentials and configurations in distributed systems. It uses the Raft consensus algorithm to keep nodes in sync and provides an HTTP API.

Etcd supports authentication, but this hasn’t always been so. In fact, the official documentation notes that this feature, which was introduced in etcd 2.1, is disabled by default to “preserve backward compatibility and upgradability” with older versions.

Making authentication optional and turning it off by default is never a good idea because users will often deploy systems with default settings. In fact, a very similar situation happened with MongoDB, wherein authentication was disabled by default for a long time, leading to tens of thousands of servers being publicly exposed on the internet.

“I really hope that the etcd team would reconsider their position and make a breaking change soon to enable authentication by default,” Collazo said. “As we learned from the MongoDB experience this is a huge footgun that can be easily removed [from] an otherwise awesome software.”

Coinmining, Supply-Chain Attacks Saw Massive Surges Last Year

The number of attacks that install cryptocurrency mining software on servers and personal computers increased by 8,500 percent last year, while supply-chain attacks were up 200 percent, according to data from Symantec.

“Coinminers made up 24 percent of all web attacks blocked in December 2017, and 16 percent of web attacks blocked in the last three months of 2017, demonstrating the big impact of these browser-based coinminers,” Symantec said in its “2018 Internet Security Threat Report” released March 22.

But browsers are not the only distribution vector used by this threat. The security firm also detected attack campaigns that exploited vulnerabilities on computers to install coinminers, that sent them via emails, through Facebook Messenger and through WordPress sites whose log-in credentials were brute-forced. Coinminers are also not only limited to the Windows platform, the company said.

As far as software supply-chain attacks go, which poison legitimate software downloads with malware, Symantec observed at least one every month in 2017. This is compared to an average of three cases per year between 2013 and 2016.

“One of the reasons why attackers have chosen to hijack software updates is that it is getting increasingly difficult to find exploitable zero-day vulnerabilities that they can use,” the company said. “Therefore supply chain attacks are an efficient alternative to reach their goals and will most likely continue to grow.”

Supply-chain attacks are usually sophisticated operations where the goal is to remain undetected for a long period of time. They can be launched by compromising the infrastructure of software developers, but also by hijacking their domains, IP routing or third-party hosting services.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin

One thought on “Over 2K Publicly Accessible Etcd Servers Leak Sensitive Credentials

Comments are closed.