"Over 380,000 Kubernetes API Servers Exposed to Internet: Shadowserver"

The Shadowserver Foundation, a nonprofit cybersecurity organization, has started scanning the internet for Kubernetes API servers and found roughly 380,000 that allow some form of access. Shadowserver is conducting daily scans of the IPv4 space on ports 443 and 6443, looking for IP addresses that respond with an HTTP 200 OK status, which indicates that the request has succeeded. The researchers stated that of the more than 450,000 Kubernetes API instances identified by Shadowserver, 381,645 responded with “200 OK”. The researchers noted that this does not mean these servers are fully open or vulnerable to attacks, but Shadowserver believes they represent an “unnecessarily exposed attack surface,” and this level of access was likely not intended. More than half of the exposed instances are located in the United States, with many also seen in Western Europe, Southeast Asia, and Australia. The scans conducted by Shadowserver also show the Kubernetes version (1.17 through 1.22 are the most popular) and the platform (Linux/amd64 accounts for a vast majority of exposed instances). Shadowserver recently also started conducting daily internet scans to identify exposed industrial control systems (ICS) and help organizations reduce their exposure to attacks.

SecurityWeek reports: "Over 380,000 Kubernetes API Servers Exposed to Internet: Shadowserver"