Crying Out Cloud - April Newsletter

April's highlights: "BrokenSesame" vulnerabilities in Alibaba Cloud, K8s misconfigurations, critical weaknesses in AWS, Microsoft Azure, and Google Cloud, a major security incident affecting multiple cloud platforms, and the importance of cloud customers learning from these issues.

Cloud security is constantly evolving, and the Wiz Research team is dedicated to keeping you informed. The past month has seen significant vulnerabilities discovered, and there have been a few security incidents affecting cloud users.

We've compiled a shortlist of the most relevant developments. Here are our top picks!

✨ Highlights

 BrokenSesame: Accidental ‘write’ permissions to private registry allowed potential RCE to Alibaba Cloud Database Services

Wiz Research has discovered a chain of critical vulnerabilities in two of Alibaba Cloud׳s popular services, AsparaDB RDS for PostrgreSQL and AnalyticDB for PostgreSQL. Dubbed "BrokenSesame", the vulnerabilities allowed unauthorized cross-tenant access to other customers` PostgreSQL databases and the ability to perform a supply-chain attack on both services, resulting in a full-service takeover. Wiz Research disclosed the vulnerabilities to Alibaba Cloud in December 2022. Alibaba Cloud confirmed that the issues have been fully mitigated, and no action is required by their customers.
The K8s misconfigurations in Alibaba Cloud that ultimately enabled this issue could just as easily affect other cloud environments and services, and cloud customers should therefore take note of these mistakes. For instance, according to Wiz data, 10% of cloud environments have pods allowing sensitive data sharing between containers, 40% of environments have containers running at different privileges while sharing a writable volume, and 8% have containers running at different privileges while sharing a process namespace.
Learn more about the Wiz Research team’s discoveries in our blog post.

 🐞 High Profile Vulnerabilities

0-day EoP vulnerability in CLFS exploited in ransomware attacks

CVE-2023-28252 is an elevation of privilege vulnerability in Windows Common Log File System (CLFS), actively exploited by cybercriminals to deploy Nokoyawa ransomware payloads. An attacker who successfully exploits this vulnerability could gain SYSTEM privileges. In light of its current exploitation in the wild, not many details about the vulnerability have been made public yet, in order to avoid further exploitation by other threat actors.
According to Wiz data, as of April 20, 39% of cloud environments have resources vulnerable to CVE-2023-28252 exposed to the internet.
Learn more in our blog post.

Asset Key Thief: GCP EoP vulnerability

A vulnerability in the Google Cloud Asset Inventory API allowed anyone with the “Cloud Asset Viewer” role to access and exfiltrate any recently created user-managed Service Account private key within the same Google Cloud environment. This would have enabled attackers with existing access to a Google Cloud environment to assume the identity and privileges of that Service Account, providing them with a reliable method for lateral movement and privilege escalation. It is recommended to rotate user-managed Service Account keys created prior to March 14, 2023 (when the vulnerability was fixed).
Refer to the report to learn more.

QueueJumper: critical RCE vulnerability in MSMQ

CVE-2023-21554 is a critical RCE vulnerability in the Microsoft Message Queuing service, also known as MSMQ. The vulnerability allows unauthenticated attackers to execute arbitrary code in the context of the Windows service process, `mqsvc.exe`. It was patched on April 11 as part of April Patch Tuesday and dubbed "QueueJumper".
According to Wiz data, as of April 23, while 39% of cloud environments have unpatched instances exposed to the internet, and 10% have unpatched instances with MSMQ enabled, only 5% of cloud environments have vulnerable instances with MSMQ enabled and publicly exposed on port 1801 (the MSMQ TCP port).
Learn more in our blog post.

GhostToken: GCP flaw allowing invisible, unremovable app on Google accounts

A flaw in GCP could have allowed threat actors to make a malicious application invisible to its users and unremovable from their Google account. If an attacker could make a Google user grant permissions to a malicious application (e.g., through a phishing attack), they could then hide the malicious app from the victim’s Google account application management page. Since this is the only place Google users can see their applications and revoke their access, the exploit effectively made the malicious app undetectable and unremovable from the Google account. If an account affected by this issue had access to GCP cloud resources, attackers could have abused this to stealthily access those as well. A fix was released by Google this month and all such apps are now visible. However, it’s unclear if Google was aware of active exploitation of this technique prior to the fix, or if they notified users that may have been affected.
Refer to the report to learn more.

Critical RCE vulnerability in Apache Superset

Apache Superset released a patch for an insecure default configuration that could lead to remote code execution (RCE), assigned CVE-2023-27524. Apache Superset used a default Flask Secret Key to sign authentication session cookies. As a result, attackers can use this default key to forge session cookies that allow them to log in with administrator privileges to servers that did not change the key. The attackers can then access connected databases or execute arbitrary SQL statements on the application server.
According to Wiz data, as of April 29 less than 1% of cloud environments have resources vulnerable to CVE-2023-27524.
Refer to the report to learn more.

🔓 Security Incidents

Trigona ransomware infecting misconfigured MSSQL servers

Researchers observed threat actors targeting Microsoft SQL (MSSQL) servers using weak passwords and exposed to the Internet, and using them as entry points to deploy Trigona ransomware and encrypt all files. To launch the ransomware, the attackers exploit CVE-2016-0099, a vulnerability in the Windows Secondary Logon Service. It is recommended to look for indicators of compromise in your environment and if any are identified, remove the files immediately and redeploy workloads from a known clean state.
According to Wiz data, as of April 29, 11% of cloud environments have instances vulnerable to CVE-2016-0099.
Refer to the report to learn more.

Destructive attacks on hybrid cloud and on-prem environments

Researchers identified a destructive operation executed by MERCURY (also known as Mango Sandstorm or MuddyWater), a threat actor attributed to the Iranian government, in partnership with “DarkBit” (who gained notoriety for attacking the Technion, an Israeli university, last February). The attacks targeted both on-premises and cloud environments, with destruction and disruption as the ultimate goals. The actors likely exploited known vulnerabilities in unpatched applications for initial access and moved laterally throughout the network, using Azure AD Connect to pivot from the on-premises environment to the Azure AD environment. The attackers then leveraged highly privileged compromised credentials to perform mass destruction of resources.
Refer to the report to learn more.