More than 22,000 Container Orchestration and API Management Systems Exposed on Internet

Many organizations have turned to the public cloud to help them scale resources to meet demand, reduce operating costs and improve the effectiveness of IT processes; however, a significant percentage of companies have failed to secure their cloud infrastructure and are exposing their data.

New research conducted by Lacework has revealed more than 22,000 container dashboards and API management systems have been left exposed on the Internet.

The company used its own tools, SSL data mining techniques, and the Shodan search engine to find the exposed admin consoles, the vast majority of which were hosted on AWS, 58% of which were hosted in US regions.

Lacework focussed on the admin consoles of Kubernetes, Docker Swarm, Mesos Marathon, Redhat Openshift, Portainer.IO, and Swarmpit that are used to manage cloud infrastructure within companies.

For some companies, it is advantageous to leave these admin consoles open – such as when employees in different geographical locations need access, although in many cases, they have been left exposed by mistake. That allows hackers to easily find them.

Lacework notes that in many cases the admin consoles require credentials to be supplied before they can be accessed, although leaving them exposed over the Internet is a considerable risk.

“These nodes are essentially openings to these organization’s cloud environments to anyone with basic skills at searching the web,” wrote Lacework. “These organizations, and the others who will replicate their mistakes, are opening themselves up to brute force password and dictionary attacks.”

However, while hackers may be able to gain access to these consoles with effort, the same is not true of 305 of the 22,672 admin panels discovered by Lacework, which could be freely accessed by anyone as they had not even been secured with a password. 38 Kubernetes servers were discovered that were running the Healthz security and health check that could be accessed with no authentication required.

The failure to secure servers running MongoDB and Amazon S3 buckets was highlighted with a spate of security breaches in recent months, resulting in data theft and data deletion by hackers. Malware and ransomware can – and have been – installed, resources are being used to mine cryptocurrency, and the potential to sabotage a company is considerable. Very little technical skill would be required to find exposed resources and pull off an attack.

“Although we did not access any of the consoles to drive into what the targets were or dig into a level that would allow us to see if they were compromised as this was largely automated, you can see in the data that there are all kinds of organizations included,” wrote Lacework. This is not just a case of small companies making mistakes. Large organizations have similarly been found guilty of exposing themselves to considerable risk by failing to secure their admin consoles.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of