Wiz Defend is Here: Threat detection and response for cloud

Crying Out Cloud - February Newsletter

This month: 🐞 Vulnerabilities in Apache RocketMQ, GitLab, Ivanti Connect Secure, Confluence, NetScaler ADC, Fortra GoAnywhere MFT, Jenkins. 🔓 Security Incidents: RE#TURGENCE, Malicious Python Toolkit, Androxgh0st, Mimo CoinMiner, Docker Hosts XMRig Miners.

This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure. Let's dive in.

Here are our top picks!


🐞 High Profile Vulnerabilities

Apache RocketMQ RCE vulnerability exploited in-the-wild

In August 2023 researchers identified attackers exploiting CVE-2023-33246, a critical vulnerability in Apache RocketMQ, to install the DreamBus bot, a malware strain last reported about publicly in 2021. On January 5, 2024 Apache stated that the patch for CVE-2023-33246 was in fact insufficient, and an additional CVE was assigned to the bypass - CVE-2023-37582. The latter vulnerability is also being exploited in the wild, so it is recommended to patch Apache RocketMQ as soon as possible.

According to Wiz data, less than 1% of cloud environments have publicly exposed instances vulnerable to CVE-2023-37582.

Learn more here.


Critical account takeover vulnerability in GitLab

GitLab has addressed a critical (CVSS 10.0) account takeover vulnerability affecting GitLab 16. Identified as CVE-2023-7028, this vulnerability allows user account password reset emails to be delivered to an unverified email address, leading to account takeover unless 2FA is enabled. Exploitation of this vulnerability appears to be simple, and we therefore highly recommend GitLab customers to update publicly exposed GitLab instances to the patched version as soon as possible.

According to Wiz data, 2% of cloud environments have publicly exposed resources vulnerable to CVE-2023-7028.


Learn more here.

RCE 0day vulnerabilities in Ivanti Connect Secure and Policy Secure

Researchers have uncovered in-the-wild exploitation of two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, which chained together allow unauthenticated remote code execution in Ivanti Connect Secure VPN devices. Ivanti published an advisory and mitigation guidance, which should be applied as soon as possible. As of January 16, 2024, no patch is available (but according to Ivanti, a patch is expected to be released later this week).

According to Wiz data, 1% of cloud environments have publicly exposed resources vulnerable to CVE-2024-21887 or CVE-2023-46805.

Learn more here.


Critical RCE Vulnerability in Confluence

Atlassian released patches for CVE-2023-22527, a critical template injection vulnerability allowing remote code execution in Confluence Server and Data Center. The vulnerability received the maximum CVSS score of 10.0. It is recommended to update vulnerable instances to the latest versions.

According to Wiz data, less than 2% of cloud environments have publicly exposed resources vulnerable to CVE-2023-22527.

Learn more here.



0day Vulnerabilities in NetScaler ADC Exploited in-the-Wild

Citrix published two vulnerabilities in NetScaler ADC, CVE-2023-6548 and CVE-2023-6549, which are currently exploited in the wild. The vulnerabilities expose unpatched Netscaler instances to remote code execution and denial-of-service attacks, respectively. It is recommended to update to the patched version.

According to Wiz data, 1% of cloud environments have publicly exposed resources vulnerable to CVE-2023-6548 or CVE-2023-6549.

Learn more here.


Critical Vulnerability in Fortra GoAnywhere MFT

CVE-2024-0204 is a critical authentication bypass affecting Fortra's GoAnywhere MFT prior to version 7.4.1. The flaw allows an unauthorized user to create an admin user via the administration portal. Fortra published an advisory for the vulnerability on January 22, 2024, but actually silently patched the bug in December 2023. It is recommended to patch GoAnywhere MFT to the patched version as soon as possible, since a simple proof-of-concept exploit has already been published.

Learn more here.


Critical Vulnerability in Jenkins

CVE-2024-23897 is a critical arbitrary file read vulnerability in the Jenkins CLI, which can lead to remote code execution. The flaw allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process. It is recommended to upgrade Jenkins instances to the patched versions, and as best practice, avoid exposing Jenkins servers on the Internet.

Learn more here.

  


🔓 Security Incidents

RE#TURGENCE: Campaign Targeting MSSQL Servers with Ransomware

Researchers identified attacks by a Turkish threat actor targeting misconfigured Microsoft SQL (MSSQL) servers to encrypt the victims' files with Mimic (AKA N3ww4v3) ransomware. The attacks are tracked as RE#TURGENCE and have been observed targeting victims in Europe, the United States, and Latin America.

It is recommended to search your environment for indicators of compromise listed in the linked blogpost..

Learn more here.

Malicious Python Toolkit Targets Cloud Environments

FBot is a Python-based hacking toolkit, targeting web servers, cloud services, and SaaS platforms like AWS, Office365, PayPal, SendGrid, and Twilio. FBot's primary purpose is to enable actors to hijack cloud, SaaS, and web services, with a secondary focus on acquiring accounts for spamming attacks. It is recommended to search your environment for indicators of compromise listed in the linked blogpost.

Learn more here.

Androxgh0st: malicious botnet stealing cloud credentials

The FBI and CISA have issued a joint Cybersecurity Advisory (CSA) addressing Androxgh0st, alerting organizations of attackers using the toolkit to steal cloud credentials and deliver malicious payloads. Threat actors utilizing Androxgh0st have been observed using the following vulnerabilities to compromise their victims: CVE-2017-9841 (PHPUnit unit testing framework), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel PHP web framework). It is recommended to search your environment for indicators of compromise listed in the linked advisory.

Learn more here.



Mimo CoinMiner and Mimus Ransomware campaign

Researchers have observed a financially-motivated threat actor dubbed Mimo exploiting various vulnerabilities to install malware on servers. Mimo was initially discovered installing cryptomining software by exploiting the Log4Shell vulnerability in March 2022. The threat actor, also known as Hezb, has since utilized remote code execution vulnerabilities in software such as WSO2, Confluence, printer management program PaperCut, and Apache ActiveMQ to carry out their attacks. It is recommended to search your environment for indicators of compromise listed in the linked blogpost.

Learn more here.


Campaign Targeting Docker Hosts with XMRig Miners

Researchers uncovered a new campaign that targets misconfigured Docker services for cryptojacking. The campaign deploys both an XMRig cryptocurrency miner and the 9hits viewer app on compromised hosts, which hijacks the resource to generate traffic to other websites (presumably to generate ad revenue for the attackers). It is recommended to search your environment for indicators of compromise listed in the linked blogpost.

Learn more here.