Cloud security firm Aqua Security has uncovered thousands of exposed cloud software registries and repositories, which contained over 250 million artifacts and over 65,000 container images. The research aimed to identify software supply chain weaknesses that could allow threat actors to exploit registries.
Aqua discovered that even large companies inadvertently exposed secrets, used default passwords, and provided users with unnecessary high privileges. Anonymous user access allowed attackers to gain sensitive information, such as secrets, keys, and passwords, leading to a severe software supply chain attack and poisoning of the software development life cycle.
The analysis focused on package management systems used in cloud software development, including registries, repositories, and artifact management systems. Aqua discovered multiple container image registries and Quay registries, along with internet-accessible Sonatype-Nexus registries and JFrog artifactories.
Some of the identified registries could be accessed anonymously, with read and/or write privileges.
Aqua identified 1,400 distinct internet-exposed registries containing at least one sensitive key and 156 hosts that contained private sensitive addresses of endpoints. Moreover, 57 of the identified registries had critical vulnerabilities, such as a default admin password, and more than 2,100 artifact registries were configured with upload permissions.
The misconfigured registries belonged to small, medium, and large organizations worldwide, including ten Fortune 500 companies.
Aqua recommends that organizations implement a responsible disclosure program, secure repositories, implement strong authentication and authorization, implement least privilege access controls, regularly rotate keys and credentials, and regularly audit their registries for sensitive data.
Additionally, organizations should implement appropriate policies and procedures to manage shadow IT activities, which can pose significant security risks to their environments.
Overall, the research highlights the need for organizations to take a more proactive approach to security and the importance of addressing security risks in their software supply chains.
