Crying Out Cloud - August Newsletter

Wiz Team's August newsletter highlights cloud security: Kubernetes vulnerabilities on Windows nodes, CPU vulnerabilities Downfall and Inception, Microsoft Power Platform flaw, malware campaigns targeting Redis, Magneto, Gitlab, and more.

Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's delve in. 
Editor’s note: some of you may have noticed that we accidentally resent last month’s edition (July) – this was due to a technical issue for which we apologize.

Moving on – here are our top picks of cloud security highlights! 

🐞 High Profile Vulnerabilities

High severity vulnerabilities in Kubernetes on Windows nodes 

Three high severity Kubernetes vulnerabilities were published on August 23. All three are flaws related to insufficient sanitization that could lead to privilege escalation. Kubernetes clusters are only affected by these vulnerabilities if they include Windows nodes. The vulnerabilities were assigned CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893. Customers running Windows nodes are advised to upgrade their kubelet instances to the patched versions. 

Learn more here.

Downfall and Inception: CPU vulnerabilities 

Two vulnerabilities in CPUs were published in August, `Downfall`, or CVE-2022-40982, which affects various Intel microprocessor families, and `Inception`, assigned CVE-2023-20569, which affects all AMD Zen CPUs. Patching virtual workloads against these vulnerabilities requires access to the host in order to apply a microcode update, which falls under the CSP's side of the shared responsibility model. Applying a microcode update from within a VM has no effect, since it must be applied from the host (in the cloud, this is something that only the CSPs can do). Bottom line – these vulnerabilities are of least concern for cloud customers. 

Learn more about `Downfall` here, and about `Inception` here.

Microsoft Power Platform Custom Code information disclosure flaw 

Researchers discovered an issue that enables limited, unauthorized access to cross-tenant applications and sensitive data in Microsoft Power Platform (including but not limited to authentication secrets). However, Microsoft has since fixed the flaw on their end and stated that no evidence was observed of exploitation in the wild. No action is required of cloud customers to fix this issue in their environments. 

Learn more here.

🔓 Security Incidents

P2Pinfect: malware targeting misconfigured Redis servers 

Researchers uncovered a campaign targeting exposed Redis servers with a peer-to-peer self-replicating worm named P2Pinfect. The campaign either exploits a critical vulnerability in Redis (CVE-2022-0543) or makes use of the `SLAVEOF` feature to infect instances that have been misconfigured to allow anonymous access. Once an instance has been breached, it’s infected with malware that acts as a botnet agent. 

Learn more here.

Skidmap malware variant targeting misconfigured Redis servers 

Researchers also uncovered another campaign targeting misconfigured Redis servers to infect them with a cryptocurrency mining botnet known as Skidmap. 

Learn more here.

Xurum: campaign targeting sites using Magneto 

Researchers at Akamai identified an ongoing campaign targeting digital commerce websites via exploitation of a server-side template injection vulnerability in Magento and Adobe Commerce (CVE-2022-24086). Users are advised to patch CVE-2022-24086 and look for indicators of compromise in their environments. 

According to Wiz data, 2% of cloud customers have at least one instance in their environment vulnerable to CVE-2022-24086. 

Learn more here.

LABRAT: campaign exploiting Gitlab vulnerability for cryptojacking 

Researchers uncovered a campaign exploiting a patched Gitlab vulnerability, CVE-2021-22205, and using vulnerable resources for cryptojacking and proxyjacking. Users are advised to patch CVE-2021-22205 and look for indicators of compromise in their environments. 

Learn more here.

DreamBus strikes again: exploiting RCE in Apache RocketMQ servers 

Researchers identified attackers exploiting CVE-2023-33246, a critical vulnerability in Apache RocketMQ, to install the DreamBus bot. Users are advised to patch CVE-2023-33246 and look for indicators of compromise in their environments. 
According to Wiz data, less than 1% of cloud customers have at least one instance in their environment vulnerable to CVE-2023-33246. 

Learn more here.

Hold on to your headphones!

Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen  👏

Listen on Spotify and Apple Podcasts.