Wiz Defend is Here: Threat detection and response for cloud

Crying Out Cloud - September Newsletter

In the past month, there were significant cloud security issues, including data exposure, critical vulnerabilities, ransomware attacks, and nation-state actors targeting cloud environments.

Welcome back! Over the last busy month, we’ve seen many critical vulnerabilities pop up and there have been reports of several impactful security incidents. We’ve sifted through the noise to bring you the real game-changers.  


Here are our top picks of cloud security highlights! 


✨ Highlights

Misconfigured SAS token leads to data leak

Wiz Research discovered that Microsoft accidentally exposed 38TB of sensitive data through a misconfigured SAS token published in a public GitHub repository in the course of sharing AI data with the community. This data included secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages. Read our blogpost for guidance on secure usage of SAS tokens.  


Learn more in our blog.

🐞 High Profile Vulnerabilities

Critical vulnerability in Gitlab 

CVE-2023-5009 is a critical vulnerability in Gitlab, which received a CVSS score of 9.6. In vulnerable instances, it was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies. This flaw is a bypass for an older bug (CVE-2023-3932). It is recommended to patch vulnerable Gitlab instances urgently. 


According to Wiz data, less than 5% of cloud environments have publicly exposed resources vulnerable to CVE-2023-5009. 


Learn more here.

Critical vulnerabilities in libwebp and libvpx exploited in-the-wild 

CVE-2023-4863 is a critical vulnerability in libwebp, and CVE-2023-5217 is a high severity vulnerability in libvpx, both could potentially allow remote code execution and reportedly exploited in the wild. They are mainly client side vulnerabilities and thus unlikely to be exploitable on most affected cloud workloads other than virtual desktops and servers that handle images or video. Customers should therefore prioritize patching these cases as well as vulnerable instances detected in build environments.   


Learn more in our blogpost.


🔓 Security Incidents

DB#JAMMER: Misconfigured MSSQL servers targeted by ransomware 

Researchers uncovered a campaign targeting misconfigured MSSQL servers with ransomware known as FreeWorld and Cobalt Strike payloads. Check for indicators of compromise in your environment, leverage strong, complex passwords for MSSQL users, and restrict the use of the xp_cmdshell feature in MSSQL.

A similar case was published later, in which an attacker exploits a similar misconfiguration in MSSQL and attempts lateral movement to cloud environments 


Learn more here.

Cryptominer deployed via SSH bruteforcing campaign 

Researchers uncovered a campaign dating back nearly 2 years attempting to brute-force SSH servers to deploy cryptominers. Check for indicators of compromise in your environment and identify any publicly exposed SSH servers with weak passwords in your environment which might be at risk. 


 Learn more here.

Peach Sandstorm: Iranian threat actor targeting cloud environments 

A campaign by an Iranian nation-state actor Peach Sandstorm has been utilizing password spray attacks to gain unauthorized access to target environments, maintain persistence and move laterally between on-prem and cloud environments. Active since February, the campaign has successfully targeted satellite, defense, and pharmaceutical sectors.  


Learn more here.

Scattered-Spider and ALPHV targeting cloud environments 

Since Late August 2023, several incidents have been disclosed sharing commonalities that may indicate they are all tied to the financially motivated threat actors Scattered-Spider and ALPHV. Researchers have observed these cooperative actors progressing beyond social engineering and phishing campaigns for extortion purposes toward cloud lateral movement and RansomOps.  


Learn more here.

AmberSquid: cryptomining campaign targeting AWS services 

Researchers uncovered a cryptojacking operation targeting AWS services such as AWS Amplify, AWS Fargate, and Amazon SageMaker to mine cryptocurrency. Check for indicators of compromise in your environment.  


Learn more here.



Click to listen!

Hold on to your headphones!


Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen, with special guest Hillai Ben Sasson 👏 


Listen on Spotify and Apple Podcasts.