Prometheus, while powerful, assumes that users will secure its HTTP endpoints and logs, but many fail to do so. The exposed servers, identified via Shodan by Aqua Nautilus researchers, highlight the risks of default settings. Sensitive data found on some servers, including assets belonging to Skoda Auto, underscores how attackers could exploit this information for targeted cyberattacks.
Additionally, attackers can overload Prometheus components to disrupt services, as demonstrated in tests where AWS EC2 instances and Kubernetes pods were successfully brought down using default debug endpoints. Moreover, some Prometheus exporters were found to be vulnerable to repojacking, allowing attackers to hijack GitHub namespaces and deploy malicious code under legitimate project names. This issue has since been addressed by Prometheus after researchers reported it.
To mitigate these risks, organizations must secure Prometheus endpoints with authentication, monitor discrepancies in GitHub projects to prevent repojacking, and employ tools to reduce DoS vulnerabilities. This case serves as a reminder of the importance of properly configuring and securing open-source tools to prevent potential exploitation.
Source: Dark Reading
The European Cyber Intelligence Foundation is a nonprofit think tank specializing in intelligence and cybersecurity, offering consultancy services to government entities. To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net, or you can try yourself using check.website.