Welcome back! In this edition, we bring you the latest in cloud security – crucial vulnerabilities, exclusive data, and noteworthy incidents. Stay informed and stay secure. Let's delve in.
Here are our cloud security highlights!
🐞 High Profile Vulnerabilities
Leaky Vessels: Docker and runc Container Escape Vulnerabilities
Several vulnerabilities have been revealed in the runC command line tool (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). These flaws pose a risk of container escape, exploiting these vulnerabilities could grant unauthorized access to the host operating system, potentially compromising sensitive data and facilitating further attacks, particularly with superuser privileges.
According to Wiz data, 18% percent of cloud environments have resources vulnerable to CVE-2024-21626 with high Kubernetes privileges that run a container using an image sourced from an external container registry. According to Wiz data, 95% of cloud environments have vulnerable resources, and since runC is very prevalent, many environments have tens of thousands of vulnerable resources.
Learn more in our blog.
Critical Vulnerability in JetBrains TeamCity
CVE-2024-23917 is a critical vulnerability in JetBrains TeamCity which received a CVSS score of 9.8. The vulnerability could allow an unauthenticated attacker to potentially bypass authentication checks and obtain administrative control over the server. It is recommended to patch TeamCity to the patched version 2023.11.3 or above.
According to Wiz data, less than 1% of cloud environments have publicly exposed resources vulnerable to CVE-2024-23917. As of February 29, exploitation of the vulnerability has not been observed.
Learn more here.
Critical vulnerabilities in FortiSIEM
CVE-2024-23108 and CVE-2024-23109 are critical vulnerabilities in FortiSIEM. While there was some initial confusion about these CVEs, with some reports that they were duplicates of prior CVEs, on February 8, 2024, Fortinet stated that these are in fact new vulnerabilities that bypass CVE-2023-34992, originally reported in October 2023. The vulnerabilities are described as remote unauthenticated OS command injection, which may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.
According to Wiz data, less than 0.5% of cloud environments have publicly exposed resources vulnerable to CVE-2024-23108 and CVE-2024-23109.
Learn more here.
Authentication Bypass Vulnerability in Ivanti Products Exploited in-the-Wild
On February 8, 2024, Ivanti published CVE-2024-22024, a high severity vulnerability allowing authentication bypass in Connect Secure and Policy Secure. This follows the publication of several other vulnerabilities in Connect Secure and Policy Secure. As of February 9, 2024, exploitation of this vulnerability has been observed in the wild, by UNC5325, a threat group associated with China. It is recommended to follow mitigation guidelines and update Ivanti products to patched versions.
According to Wiz data, less than 1% of cloud environments have resources vulnerable to CVE-2024-22024.
Learn more in our blog.
Critical RCE Vulnerabilities in FortiOS Exploited in-the-Wild
CVE-2024-21762 and CVE-2024-23113 are critical vulnerabilities in Fortinet's FortiOS which received the CVSS score of 9.6 and 9.8 respectively. Both vulnerabilities could allow a remote unauthenticated attacker to execute arbitrary code or commands, and CVE-2024-21762 is reportedly being exploited in the wild. It is recommended to upgrade FortiOS instances to patched versions as soon as possible.
According to Wiz data, 2% of cloud environments have publicly exposed resources vulnerable to CVE-2024-21762 or CVE-2024-23113.
Learn more in our blog.
MonikerLink: Critical RCE Vulnerability in Microsoft Outlook
CVE-2024-21413 is a critical remote code execution vulnerability in Microsoft Outlook stemming from how Outlook processes certain hyperlinks. Researchers published a proof-of-concept for exploitation of the vulnerability, which could allow arbitrary code execution via specially crafted moniker links. It is recommended to upgrade Outlook to the patched version, particularly on virtual desktops.
According to Wiz data, 12% of cloud environments have resources vulnerable to CVE-2024-21413, and less than 1% have publicly exposed resources vulnerable to CVE-2024-21413.
Learn more here.
Critical ScreenConnect Vulnerability Exploited in-the-Wild
ConnectWise disclosed two vulnerabilities in its ScreenConnect software on February 19, 2024. Following the disclosure, these were quickly and easily exploited by attackers. The vulnerabilities, assigned CVE-2024-1708 and CVE-2024-1709, include a critical authentication bypass and a high-severity path traversal flaw, respectively. Considering the ease of exploitation, it is recommended to upgrade ScreenConnect server instances to patched versions as soon as possible.
According to Wiz data less than 0.5% of cloud environments have publicly exposed resources vulnerable to CVE-2024-1709 or CVE-2024-1708.
Learn more here.
🔓 Security Incidents & Campaigns
Commando Cat Campaign Targeting Exposed Docker APIs
Researchers observed a campaign targeting misconfigured Docker API endpoints exposed to the Internet. The campaign was dubbed Commando Cat and is abusing Docker hosts for cryptojacking. It is recommended to look for indicators of compromise in your environment.
Learn more here.
Windows SmartScreen vulnerability exploited by Mispadu trojan
Mispadu Stealer, a banking Trojan first reported in November 2019, has been observed exploiting the Windows SmartScreen bypass vulnerability, CVE-2023-36025. This variant of Mispadu spreads through phishing emails and primarily affects victims in Latin America. The malware is part of the larger family of LATAM banking malware, including Grandoreiro.
Learn more here.
Confluence Vulnerability Exploited to Deploy C3RB3R Malware
CVE-2023-22527 is a critical remote code execution vulnerability in Confluence Server and Data Center, which was published January 16. Researchers observed CVE-2023-22527 being exploited to deploy C3RB3R ransomware, as well as to deploy payloads for cryptocurrency mining and remote access trojans. It is recommended to search your environment for indicators of compromise listed in the linked advisory.
Learn more here.
Account Takeover Campaign Targeting Azure Environments
Researchers have observed a cloud account takeover campaign targeting Microsoft Azure environments. Detected in late November 2023, this active campaign employs credential phishing and account takeover tactics, using personalized phishing lures within shared documents to redirect users to malicious sites. It is recommended to search your environment for indicators of compromise listed in the linked blogpost.
Learn more here.
Migo Cryptominer Targeting Redis
Researchers have discovered a new malware campaign, dubbed Migo, targeting Redis servers running on Linux hosts to mine cryptocurrency. It is recommended to look for indicators of compromise in your environment, and if any are identified, remove the files immediately and redeploy workloads from a known clean state.
Learn more here.
Hold on to your headphones!
Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen
Listen on Spotify and Apple Podcasts.