Crying Out Cloud - July Newsletter

In this edition, we bring you the latest in cloud security – crucial vulnerabilities in Ubuntu and OpenSSH, exclusive data, and noteworthy incidents like PyLoose and SilentBob. Stay informed and stay secure.

Welcome back! In this edition, we bring you the latest in cloud security – crucial vulnerabilities, exclusive data, and noteworthy incidents. Stay informed and stay secure. Let's delve in.

Here are our cloud security highlights for July! 

✨ Highlights

GameOver(lay): local privilege escalation vulnerabilities in Ubuntu Linux 

Wiz Research discovered CVE-2023-2640 and CVE-2023-32629, two easy-to-exploit privilege escalation vulnerabilities in the OverlayFS module in Ubuntu affecting 40% of Ubuntu cloud workloads.  

CVE-2023-2640 and CVE-2023-32629 were found in the OverlayFS module in Ubuntu, which is a widely used Linux filesystem that became highly popular with the rise of containers as its features enable the deployment of dynamic filesystems based on pre-built images. Successful exploitation of these vulnerabilities would allow an attacker with prior access to an unprivileged local user to escalate their privileges to the root user. Weaponized exploits for past OverlayFS vulnerabilities work out of the box for these vulnerabilities as well. 

The two vulnerabilities are exclusive to Ubuntu because Ubuntu introduced several changes to the OverlayFS module in 2018. These modifications did not pose any risk at the time, but later updates to the linux kernel made these modifications vulnerable. 

Learn more in our blogpost.  

🐞 High Profile Vulnerabilities

Zenbleed: cross-process infoleak vulnerability in AMD Zen 2 Processors 

Researchers discovered a use-after-free flaw in AMD Zen 2 processors (CVE-2023-2059) which could allow a malicious actor with access to an affected machine to steal sensitive data, such as passwords and encryption keys. Exploitation requires local code execution privileges and is less likely to be of concern in cloud environments, due to fast patching cycles and cloud service provider mitigations that limit the impact of CPU vulnerabilities.   

Learn more in our blogpost.

High severity RCE vulnerabilities in Atlassian products

Atlassian patched several remote code execution vulnerabilities in multiple products: CVE-2023-22505 and CVE-2023-22508 in Confluence, and CVE-2023-22506 in Bamboo. In all cases, exploitation requires successful authentication, but an attacker could then execute code remotely on vulnerable machines. It is recommended to update vulnerable instances to the latest versions, while focusing on publicly exposed workloads. 

According to Wiz data, less than 1% of cloud environments have instances vulnerable to these vulnerabilities. 

Refer to the report to learn more.

Critical RCE vulnerability in OpenSSH’s forwarded ssh-agent

CVE-2023-38408 is a critical remote code execution vulnerability in OpenSSH’s forwarded ssh-agent. Under specific conditions, this vulnerability allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent. For example, an admin with a vulnerable version connects to an SSH server in the cloud, and if an attacker compromises that server, they can execute code on the admin’s laptop. Customers are advised to update OpenSSH to the fixed version.  

Refer to the report to learn more. 

Critical RCE in Citrix ADC exploited in the wild

Citrix published an advisory regarding CVE-2023-3519, a critical remote code execution in Netscaler ADC (formerly Citrix ADC). In specific configurations the vulnerability can allow code injection that leads to remote code execution. Citrix reported that exploitations have been observed in the wild, and customers are recommended to upgrade their Netscaler ADC to a fixed version. 

According to Wiz data, 1.5% of cloud environments have publicly exposed resources vulnerable to these vulnerabilities. 

 Refer to the report to learn more. 

RCE in Office and Windows HTML exploited in the wild

Microsoft published a remote code execution vulnerability in Office and Windows HTML (CVE-2023-36884), which was reportedly exploited in the wild. An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file. No patch has been released as of July 12, but it is recommended to apply mitigations. Since this vulnerability impacts Office and requires office documents and user interaction, it is not expected to be widely exploited in most cloud environments, unless using virtual desktop solutions. 

According to Wiz data 2.3% of cloud environments have publicly exposed resources vulnerable to CVE-2023-36884. 

Refer to the report to learn more. 

EoP vulnerability in Windows Error Reporting Service exploited in the wild

Microsoft released a patch for CVE-2023-36874, a vulnerability in Windows Error Reporting Service that can be exploited to gain Administrator privileges. The vulnerability requires local access, and was reportedly exploited in the wild. It is recommended to patch urgently. 
According to Wiz data 34% of cloud environments have publicly exposed resources vulnerable to CVE-2023-36874. 

Refer to the report to learn more.

🔓 Security Incidents

Microsoft key compromised by Chinese threat actor allows potential access to Azure applications

Wiz research has investigated the latest security incident disclosed by Microsoft and CISA, attributed to Chinese threat actor Storm-0558. We’ve found that this incident had a broader potential scope than originally assumed, and prepared recommended steps that organizations using Microsoft and Azure services should take to assess impact. 

Learn more in our blogpost.

PyLoose: Python-based fileless malware targets cloud workloads to deliver cryptominer

Using the Wiz Runtime Sensor, Wiz Threat Research have recently detected a new fileless attack targeting cloud workloads. The attack consists of Python code that loads an XMRig Miner directly into memory using memfd, a known Linux fileless technique. 

Learn more in our blogpost.

JumpCloud security incident

On July 6, JumpCloud notified customers of an on-going security incident. As a result, the company has invalidated existing admin API keys to protect its customer organizations, and affected organizations will need to generate new keys. 

Refer to the report to learn more.

SilentBob: Campaign targeting exposed misconfigured applications

Researchers have uncovered a cloud attack campaign possibly orchestrated by the threat actor known as TeamTNT. The campaign primarily involves an aggressive cloud worm that targets JupyterLab and Docker APIs to deploy Tsunami malware, hijack cloud credentials, and execute resource hijacking. 

On July 13, 2023, New research was published that found the campaign to be targeting additional services - Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and Nginx servers, Weave Scope, SSH, and Jupyter applications, across all CSPs. Additional tools and techniques were observed by researchers, and new indicators of compromise were detected. Customers are advised to check their environments for the newly discovered IoCs. 

Refer to the report to learn more.