The First Edition of Crying Out Cloud - The Newsletter!

March's highlights: Azure AD misconfiguration in BingBang, critical vulnerabilities in Fortinet's FortiOS and Jenkins, Microsoft Outlook's elevation-of-privilege exploit, and security incidents: website hijacking, malicious Google Ads, Golang-based botnet, and Kubernetes cryptojacking.

The world of cloud security is ever-evolving, and the Wiz Research team is here to keep you updated. This month several impactful vulnerabilities were published, and we observed a few unfortunate security incidents which should be of interest to cloud customers. 

Here's a summary of our top picks, enjoy!

 ✨ Highlights

BingBang: Azure AD misconfiguration allows unauthenticated access to applications 

Wiz Research discovered an Azure AD misconfiguration affecting many applications, in which the affected app could accept authentication from any user on the Internet. While this may be appropriate for certain apps, developers should make sure that they have permission checks in place within their application`s code. If these are implemented incorrectly, or not done at all, an app could be at risk of unauthorized access. 
Learn more about the Wiz Research team's discoveries, including a high-level overview of the vulnerability and its impact, in our blog post. For a technical deep dive and remediation guidelines, visit our technical blog

🐞 High Profile Vulnerabilities

Critical RCE vulnerability in Fortinet's FortiOS and FortiProxy

On March 7, Fortinet published an advisory for CVE-2023-25610, a critical buffer underwrite vulnerability in FortiOS. This vulnerability is a bug in the administrative interface which could allow a remote unauthenticated attacker to execute code using specially crafted requests. Based on Wiz data, 7% of cloud enterprise environments are still susceptible to this vulnerability, as of March 29th. 
Read our blogpost on the subject to find out more about CVE-2023-25610

Path traversal in FortiOS exploited in the wild 

Another vulnerability published by Fortinet on March 7th, 2023, was CVE-2022-41328, which has been reportedly exploited in the wild and used to install malware in attacks targeting government organizations. Security teams are advised to patch and stay vigilant for indicators of compromise. Wiz data shows that 8% of cloud environments are still susceptible to this vulnerability, as of March 29th. 
Refer to Fortinet’s advisory and blogpost for additional details about CVE-2023-41328 and indicators of compromise associated with this threat activity. 

CorePlague: vulnerabilities in Jenkins leading to RCE

On March 8, researchers from Aqua Security published information about two Jenkins vulnerabilities (nicknamed "CorePlague") with a combined impact that can lead to remote code execution (RCE) on Jenkins servers. These two vulnerabilities, CVE-2023-27905 and CVE-2023-27898, can be exploited by an unauthenticated attacker to enable a cross-site scripting attack (XSS) through a vulnerable Jenkins Update Center. This vulnerability chain can be exploited together even if the target Jenkins server itself is not publicly exposed or directly accessible by the attacker, as long as the server is configured to obtain available plugin lists from a vulnerable Jenkins Update Center. Wiz data shows that 1.3% of cloud environments have publicly exposed resources vulnerable to CorePlague. 
Refer to Jenkins’ advisory to find out more about CorePlague

Critical EoP vulnerability in Microsoft Outlook exploited in the wild 

Microsoft patched a critical elevation-of-privilege vulnerability in Outlook which was exploited by a threat actor attributed to Russian intelligence. Attackers could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation before the email is even viewed in the Preview Pane. CVE-2023-23397 impacts only Outlook for Windows, and does not affect Outlook for other operating systems, Outlook Web or Microsoft 365. This means that exploitation in cloud environments is unlikely. 
Refer to Microsoft’s guide for additional details

🔓 Security incidents

 Redirection Roulette: Thousands of hijacked websites in East Asia redirecting visitors to other sites

Wiz Research uncovered a website hijacking campaign that has been active since early Sept' 2022. An unknown threat actor has successfully compromised tens of thousands of websites mainly aimed at East Asian audiences, redirecting hundreds of thousands of their users to adult-themed content. In each case, the threat actor has injected malicious code into customer-facing web pages that is designed to collect information about visitors’ environments and occasionally redirect them to these other sites, depending on both random chance and the country in which the user is located. Curiously, the threat actor has been gaining access to these websites using stolen FTP/S credentials, but it’s still unclear where they’re getting them from. 
Take a look at our report for more information

Malicious Google Ads target AWS logins

SentinelOne and Permiso both observed recent malicious Google Ads collecting login credentials for AWS console through fraudulent phishing websites. Performing a typical Google search for “AWS” returned the malicious ad, often displayed at the top of the results, before any links to the real AWS console. redirect sends the victim to the legitimate AWS login page. The redirect represents an effort to evade detection by cautious users, but more importantly to evade automated detection of the phishing websites and malicious ad monitors. 
Refer to the report to learn more

GoBruteforcer: Golang-based botnet harvesting web servers 

A new type of Golang-based malware called GoBruteforcer was discovered by researchers from Palo Alto Networks’ Unit42. The primary targets of this malware are web servers, specifically those running services such as phpMyAdmin, MySQL, FTP, and Postgres. The GoBruteforcer malware was predominantly found on Unix-like platforms, including versions for x86, x64, and ARM architectures. GoBruteforcer is currently thought to be under active development, and therefore the initial infection vectors and payloads are expected to change over time. 
Refer to the report to learn more.

Dero Cryptojacking campaign targeting kubernetes 

CrowdStrike have uncovered a cryptojacking operation targeting Kubernetes clusters to illicitly generate Dero (a cryptocurrency). The attackers exploit permissive authentication configurations in publicly exposed K8s API servers, allowing them to gain unauthorized access and infect the cluster with malware. To stay protected against attacks, make sure your K8s clusters are configured according to the best security practices, particularly in regards to preventing unauthenticated access to the K8s API server. 
Refer to the report to learn more.