In the past month, there were significant cloud security issues, including data exposure, critical vulnerabilities, ransomware attacks, and nation-state actors targeting cloud environments.
Welcome back! Over the last busy month, we’ve seen many critical vulnerabilities pop up and there have been reports of several impactful security incidents. We’ve sifted through the noise to bring you the real game-changers.
Here are our top picks of cloud security highlights!
Misconfigured SAS token leads to data leak
Wiz Research discovered that Microsoft accidentally exposed 38TB of sensitive data through a misconfigured SAS token published in a public GitHub repository in the course of sharing AI data with the community. This data included secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages. Read our blogpost for guidance on secure usage of SAS tokens.
CVE-2023-5009 is a critical vulnerability in Gitlab, which received a CVSS score of 9.6. In vulnerable instances, it was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies. This flaw is a bypass for an older bug (CVE-2023-3932). It is recommended to patch vulnerable Gitlab instances urgently.
According to Wiz data, less than 5% of cloud environments have publicly exposed resources vulnerable to CVE-2023-5009.
Critical vulnerabilities in libwebp and libvpx exploited in-the-wild
CVE-2023-4863 is a critical vulnerability in libwebp, and CVE-2023-5217 is a high severity vulnerability in libvpx, both could potentially allow remote code execution and reportedly exploited in the wild. They are mainly client side vulnerabilities and thus unlikely to be exploitable on most affected cloud workloads other than virtual desktops and servers that handle images or video. Customers should therefore prioritize patching these cases as well as vulnerable instances detected in build environments.
DB#JAMMER: Misconfigured MSSQL servers targeted by ransomware
Researchers uncovered a campaign targeting misconfigured MSSQL servers with ransomware known as FreeWorld and Cobalt Strike payloads. Check for indicators of compromise in your environment, leverage strong, complex passwords for MSSQL users, and restrict the use of the xp_cmdshell feature in MSSQL.
Cryptominer deployed via SSH bruteforcing campaign
Researchers uncovered a campaign dating back nearly 2 years attempting to brute-force SSH servers to deploy cryptominers. Check for indicators of compromise in your environment and identify any publicly exposed SSH servers with weak passwords in your environment which might be at risk.
Peach Sandstorm: Iranian threat actor targeting cloud environments
A campaign by an Iranian nation-state actor Peach Sandstorm has been utilizing password spray attacks to gain unauthorized access to target environments, maintain persistence and move laterally between on-prem and cloud environments. Active since February, the campaign has successfully targeted satellite, defense, and pharmaceutical sectors.
Scattered-Spider and ALPHV targeting cloud environments
Since Late August 2023, several incidents have been disclosed sharing commonalities that may indicate they are all tied to the financially motivated threat actors Scattered-Spider and ALPHV. Researchers have observed these cooperative actors progressing beyond social engineering and phishing campaigns for extortion purposes toward cloud lateral movement and RansomOps.
Researchers uncovered a cryptojacking operation targeting AWS services such as AWS Amplify, AWS Fargate, and Amazon SageMaker to mine cryptocurrency. Check for indicators of compromise in your environment.