Crying Out Cloud - December Newsletter

Crying Out Cloud November edition summarizes major cloud security vulnerabilities and incidents: NGINX flaws, ActiveMQ exploit, Confluence RCE, Sumo Logic compromise, Docker API botnet.

This month introduced vulnerabilities and security incidents that have left users affected. We've curated the most interesting and impactful security highlights for you from the month of November.


Here are our top picks of cloud security highlights!

🐞 High Profile Vulnerabilities

High severity vulnerabilities in NGINX Ingress Controller

NGINX ingress controller is affected by 3 high severity vulnerabilities. CVE-2022-4886 allows an attacker who can control the Ingress object itself to steal Kubernetes API credentials, while CVE-2023-5043 and CVE-2023-5044 enable an attacker who can control configuration of the Ingress object to inject arbitrary code and steal credentials from the cluster. As of November 1, 2023, there is no fixed version available. Therefore, users are advised to upgrade NGINX to a version that supports the required configuration to mitigate these vulnerabilities.


According to Wiz data, 17% of cloud environments have a publicly exposed container using an image vulnerable to one of the aforementioned vulnerabilities.


Learn more here.


Critical vulnerability in Apache ActiveMQ exploited in-the-wild

CVE-2023-46604 is a critical Remote Code Execution (RCE) vulnerability in Apache ActiveMQ that also affects Atlassian Bamboo. This vulnerability may allow a remote attacker with network access to a broker to run arbitrary commands due to an insecure deserialization in the OpenWire protocol. Multiple threat actors are reportedly exploiting this vulnerability to deploy ransomware in target networks, including Andariel and GoTitan. Users are advised to upgrade Apache ActiveMQ and Atlassian Bamboo to a fixed version.


According to Wiz data, approximately 7% of cloud environments have a publicly exposed resource vulnerable to CVE-2023-44604.


Learn more here.


Unauthenticated RCE in Thorn SFTP Gateway Admin portal

Researchers discovered a Java deserialization vulnerability tracked as CVE-2023-47174 that leads to unauthenticated remote code execution (RCE) in Thorn SFTP Gateway Admin portal. Exploitation in the wild of this vulnerability has yet to be observed, but users are advised to upgrade Thorn SFTP Gateway to the patched version.


According to Wiz data, less than 1% of cloud environments have a publicly exposed resource vulnerable to CVE-2023-47174.


Learn more here.


Critical RCE in Confluence Data Center and Server exploited in-the-wild

CVE-2023-22518 is a critical improper authorization vulnerability in Confluence Data Center and Server. This vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account that can perform all administrative actions, effectively allowing RCE. This vulnerability has an exploit available and is being leveraged by threat actors to deploy ransomware. Customers are advised to update Confluence Data Center and Server to their fixed versions.


According to Wiz data, less than 1% of cloud environments have publicly exposed resources vulnerable to CVE-2023-22518.


Learn more here.


High severity vulnerability in Azure CLI

CVE-2023-36052 is a vulnerability in Azure Command-Line Interface (CLI) that can lead to exposure of sensitive information and credentials in build logs when the CLI is invoked as part of a CI/CD process. Microsoft has added a new default setting to Azure CLI which prevents secrets from being presented in the output of update commands for services in the App Service family. Azure Customers are advised to update to the latest version of Azure CLI (2.54).


Learn more here.


🔓 Security Incidents

Sumo Logic security incident

Sumo Logic disclosed a security incident in which a threat actor compromised credentials that granted them access to an AWS account. No further details of this incident have been made publicly available. Sumo Logic customers are advised to rotate their credentials.


Learn more here.

Cryptojacking campaign against Apache Web Servers using Cobalt Strike

Researchers observed threat activity involving Cobalt Strike being deployed along with XMRig coinminer on Windows servers running Apache Web Server. The threat actor seems to have targeted poorly managed servers, such as those using weak authentication or affected by unpatched vulnerabilities.


Learn more here.


OracleIV: botnet campaign targeting Docker Engine API

Researchers recently discovered a campaign targeting publicly exposed instances of Docker Engine API. The threat actor exploited a misconfiguration to deliver a malicious Docker container, built from an image named “oracleiv_latest” and containing Python malware compiled as an ELF executable. The malware itself acts as a Distributed Denial of Service (DDoS) bot agent, capable of conducting DoS attacks against the botnet operator’s targets of choice. Users are advised to properly configure Docker servers by preventing unauthenticated access to the “/images/create” API endpoint.


Learn more here.



Hold on to your headphones!


Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen 👏


Listen on Spotify and Apple Podcasts.


Are you ready for a new challenge?


Test your cloud security skills in five real-world Amazon EKS scenarios. Team up or go solo to earn individual glory!