After publicly exposed MongoDB databases, Amazon AWS S3 buckets and Redis instances, researchers now warn that a considerable number of etcd servers are also publicly accessible and contain sensitive credentials that could provide access to additional systems.
The warning came late last week from security researcher Giovanni Collazo, who found 2,284 etcd servers reachable from the internet and which were accessible without authentication through the standard etcd API.
“I did a simple search on shodan and came up with 2,284 etcd servers on the open internet,” Collazo said in a blog post. “So I clicked a few and on the third try I saw what I was hoping not to see. CREDENTIALS, a lot of CREDENTIALS. Credentials for things like cms_admin, mysql_root, postgres, etc.”
The researcher then wrote a simple script that connected to the servers and read all of their data—the equivalent of a database dump. He stopped the script after iterating through 1,485 servers and collecting 750MB of data. The data contained 8,781 passwords, 650 access keys for AWS accounts, 23 secret keys and 8 private keys.
“I did not test any of the credentials but if I had to guess I would guess that at least a few of them should work and this is the scary part,” the researcher said. “Anyone with just a few minutes to spare could end up with a list of hundreds of database credentials which can be used to steal data, or perform ransomware attacks.”
A DevOps manager named Bradley Wilson-Hunt pointed out on Twitter that etcd is used by Kubernetes, a very popular container orchestration tool, as the default backing store for all cluster data.
“After cheking (sic) a few… the ammount (sic) of etcd’s (sic) which are being used for kubernetes (sic) is scary,” Wilson-Hunt said.
Etcd is a distributed key-value store for critical data such as credentials and configurations in distributed systems. It uses the Raft consensus algorithm to keep nodes in sync and provides an HTTP API.
Etcd supports authentication, but this hasn’t always been so. In fact, the official documentation notes that this feature, which was introduced in etcd 2.1, is disabled by default to “preserve backward compatibility and upgradability” with older versions.
Making authentication optional and turning it off by default is never a good idea because users will often deploy systems with default settings. In fact, a very similar situation happened with MongoDB, wherein authentication was disabled by default for a long time, leading to tens of thousands of servers being publicly exposed on the internet.
“I really hope that the etcd team would reconsider their position and make a breaking change soon to enable authentication by default,” Collazo said. “As we learned from the MongoDB experience this is a huge footgun that can be easily removed [from] an otherwise awesome software.”
Coinmining, Supply-Chain Attacks Saw Massive Surges Last Year
The number of attacks that install cryptocurrency mining software on servers and personal computers increased by 8,500 percent last year, while supply-chain attacks were up 200 percent, according to data from Symantec.
“Coinminers made up 24 percent of all web attacks blocked in December 2017, and 16 percent of web attacks blocked in the last three months of 2017, demonstrating the big impact of these browser-based coinminers,” Symantec said in its “2018 Internet Security Threat Report” released March 22.
But browsers are not the only distribution vector used by this threat. The security firm also detected attack campaigns that exploited vulnerabilities on computers to install coinminers, that sent them via emails, through Facebook Messenger and through WordPress sites whose log-in credentials were brute-forced. Coinminers are also not only limited to the Windows platform, the company said.
As far as software supply-chain attacks go, which poison legitimate software downloads with malware, Symantec observed at least one every month in 2017. This is compared to an average of three cases per year between 2013 and 2016.
“One of the reasons why attackers have chosen to hijack software updates is that it is getting increasingly difficult to find exploitable zero-day vulnerabilities that they can use,” the company said. “Therefore supply chain attacks are an efficient alternative to reach their goals and will most likely continue to grow.”
Supply-chain attacks are usually sophisticated operations where the goal is to remain undetected for a long period of time. They can be launched by compromising the infrastructure of software developers, but also by hijacking their domains, IP routing or third-party hosting services.