Apache Airflow Instances Misconfiguration leaks Credentials for Popular Services
Reading Time: 2 minutes

According to Intezer researchers, Apache Airflow instances misconfiguration leaks credentials for popular services such as Amazon Web Services (AWS), Binance, Google Cloud Platform (GCP), PayPal, Slack, and Stripe.

Intezer in a report said, “These unsecured instances expose sensitive information of companies across the media, finance, manufacturing, information technology (IT), biotech, e-commerce, health, energy, cybersecurity, and transportation industries.” 

Apache Airflow is an open-source workflow management platform launched in June 2015. The platform enables programmatic scheduling and monitoring of workflows on AWS, GCP, Microsoft Azure, and other third-party services.  It is one of the most popular task orchestration tools, followed by Luigi, Kubeflow, and MLflow.Apache AirflowIntezer discovered the most common insecure coding practices, this included use of hard-coded database passwords in Python DAG code or variables. It also uses plaintext credentials in the “Extra” field of connections, and cleartext keys in configuration files (airflow.cfg).

Apache Airflow instances misconfigured mainly were the exposure of credentials that could be abused by threat actors to gain access to accounts and databases. This enabled them to spread laterally or result in data leakage, along with the violation of data protection laws, and give an insight into an organization’s tools and packages. All this could lead to later being exploited to stage supply-chain attacks.

According to the Intezer researchers, “If a large number of passwords are visible, a threat actor can also use this data to detect patterns and common words to infer other passwords. These can be leveraged in a dictionary or brute-force-style attacks against other platforms.”Apache Airflow Instances MisconfigurationThe worst fear is the ability of bad actors to launch the malware on the exposed production environments by leveraging the Variables feature to modify the container image variables to point to a different image containing unauthorized code.

Apache Airflow has earlier addressed several security issues with version 2.0.0 released in December 2020. Critically requiring all users to update software to the latest version and adopt secure coding practices to prevent passwords from being exposed.

Related Articles:

Ransomware Gang Arrested In Ukraine With the Support of Europol
LockBit 2.0 Ransomware Strikes Israeli Defense Firm E.M.I.T. Aviation Consulting Ltd
Fake Amnesty International Antivirus for Pegasus Can Hacks PCs with Malware