Wiz Defend is Here: Threat detection and response for cloud

Crying Out Cloud - March 2024 Newsletter

This month, we address critical vulnerabilities in Docker, runc, JetBrains TeamCity, FortiSIEM, Ivanti, FortiOS, and Outlook. Also spotlighted are the Commando Cat and Mispadu Trojan campaigns.

Welcome back! In this edition, we bring you the latest in cloud security ā€“ crucial vulnerabilities, exclusive data, and noteworthy incidents. Stay informed and stay secure. Let's delve in.

Here are our cloud security highlights!


šŸžĀ High Profile Vulnerabilities

Leaky Vessels: Docker and runc Container Escape Vulnerabilities


Several vulnerabilities have been revealed in the runC command line tool (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). These flaws pose a risk of container escape, exploiting these vulnerabilities could grant unauthorized access to the host operating system, potentially compromising sensitive data and facilitating further attacks, particularly with superuser privileges.


According to Wiz data, 18% percent of cloud environments have resources vulnerable to CVE-2024-21626 with high Kubernetes privileges that run a container using an image sourced from an external container registry. According to Wiz data, 95% of cloud environments have vulnerable resources, and since runC is very prevalent, many environments have tens of thousands of vulnerable resources.
Learn moreĀ in our blog.

Critical Vulnerability in JetBrains TeamCity


CVE-2024-23917 is a critical vulnerability in JetBrains TeamCity which received a CVSS score of 9.8. The vulnerability could allow an unauthenticated attacker to potentially bypass authentication checks and obtain administrative control over the server. It is recommended to patch TeamCity to the patched version 2023.11.3 or above.


According to Wiz data, less than 1% of cloud environments have publicly exposed resources vulnerable to CVE-2024-23917. As of February 29, exploitation of the vulnerability has not been observed.


Learn moreĀ here.

Critical vulnerabilities in FortiSIEM


CVE-2024-23108 and CVE-2024-23109 are critical vulnerabilities in FortiSIEM. While there was some initial confusion about these CVEs, with some reports that they were duplicates of prior CVEs, on February 8, 2024, Fortinet stated that these are in fact new vulnerabilities that bypass CVE-2023-34992, originally reported in October 2023. The vulnerabilities are described as remote unauthenticated OS command injection, which may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.
According to Wiz data, less than 0.5% of cloud environments have publicly exposed resources vulnerable to CVE-2024-23108 and CVE-2024-23109.

Learn moreĀ here.

Authentication Bypass Vulnerability in Ivanti Products Exploited in-the-Wild

On February 8, 2024, Ivanti published CVE-2024-22024, a high severity vulnerability allowing authentication bypass in Connect Secure and Policy Secure. This follows the publication of several other vulnerabilities in Connect Secure and Policy Secure. As of February 9, 2024, exploitation of this vulnerability has been observed in the wild, by UNC5325, a threat group associated with China. It is recommended to follow mitigation guidelines and update Ivanti products to patched versions.


According to Wiz data, less than 1% of cloud environments have resources vulnerable to CVE-2024-22024.


Learn moreĀ in our blog.

Critical RCE Vulnerabilities in FortiOS Exploited in-the-Wild

CVE-2024-21762 and CVE-2024-23113 are critical vulnerabilities in Fortinet's FortiOS which received the CVSS score of 9.6 and 9.8 respectively. Both vulnerabilities could allow a remote unauthenticated attacker to execute arbitrary code or commands, and CVE-2024-21762 is reportedly being exploited in the wild. It is recommended to upgrade FortiOS instances to patched versions as soon as possible.


According to Wiz data, 2% of cloud environments have publicly exposed resources vulnerable to CVE-2024-21762 or CVE-2024-23113.


Learn moreĀ in our blog.

MonikerLink: Critical RCE Vulnerability in Microsoft Outlook


CVE-2024-21413 is a critical remote code execution vulnerability in Microsoft Outlook stemming from how Outlook processes certain hyperlinks. Researchers published a proof-of-concept for exploitation of the vulnerability, which could allow arbitrary code execution via specially crafted moniker links. It is recommended to upgrade Outlook to the patched version, particularly on virtual desktops.
According to Wiz data, 12% of cloud environments have resources vulnerable to CVE-2024-21413, and less than 1% have publicly exposed resources vulnerable to CVE-2024-21413.
Learn moreĀ here.

Critical ScreenConnect Vulnerability Exploited in-the-Wild


ConnectWise disclosed two vulnerabilities in its ScreenConnect software on February 19, 2024. Following the disclosure, these were quickly and easily exploited by attackers. The vulnerabilities, assigned CVE-2024-1708 and CVE-2024-1709, include a critical authentication bypass and a high-severity path traversal flaw, respectively. Considering the ease of exploitation, it is recommended to upgrade ScreenConnect server instances to patched versions as soon as possible.


According to Wiz data less than 0.5% of cloud environments have publicly exposed resources vulnerable to CVE-2024-1709 or CVE-2024-1708.


Learn moreĀ here.Ā Ā 


šŸ”“Ā Security Incidents & Campaigns

Commando Cat Campaign Targeting Exposed Docker APIs


Researchers observed a campaign targeting misconfigured Docker API endpoints exposed to the Internet. The campaign was dubbed Commando Cat and is abusing Docker hosts for cryptojacking. It is recommended to look for indicators of compromise in your environment.


Learn moreĀ here.

Windows SmartScreen vulnerability exploited by Mispadu trojan


Mispadu Stealer, a banking Trojan first reported in November 2019, has been observed exploiting the Windows SmartScreen bypass vulnerability, CVE-2023-36025. This variant of Mispadu spreads through phishing emails and primarily affects victims in Latin America. The malware is part of the larger family of LATAM banking malware, including Grandoreiro.


Learn moreĀ here.


Confluence Vulnerability Exploited to Deploy C3RB3R Malware


CVE-2023-22527 is a critical remote code execution vulnerability in Confluence Server and Data Center, which was published January 16. Researchers observed CVE-2023-22527 being exploited to deploy C3RB3R ransomware, as well as to deploy payloads for cryptocurrency mining and remote access trojans. It is recommended to search your environment for indicators of compromise listed in the linked advisory.


Learn moreĀ here.

Account Takeover Campaign Targeting Azure Environments


Researchers have observed a cloud account takeover campaign targeting Microsoft Azure environments. Detected in late November 2023, this active campaign employs credential phishing and account takeover tactics, using personalized phishing lures within shared documents to redirect users to malicious sites. It is recommended to search your environment for indicators of compromise listed in the linked blogpost.


Learn moreĀ here.

Migo Cryptominer Targeting Redis


Researchers have discovered a new malware campaign, dubbed Migo, targeting Redis servers running on Linux hosts to mine cryptocurrency. It is recommended to look for indicators of compromise in your environment, and if any are identified, remove the files immediately and redeploy workloads from a known clean state.
Learn moreĀ here.Ā Ā Ā Ā 


Hold on to your headphones!


Tune in to "CryingĀ Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai CohenĀ 


Listen onĀ SpotifyĀ andĀ Apple Podcasts.Ā