Crying Out Cloud - May 2024 Newsletter

Welcome back! In this edition, we explore the latest in cloud security—key incidents, exclusive data, and crucial vulnerabilities. Let's dive in!

Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.

Here are our top picks of cloud security highlights!

🔎 Highlights

Architecture Risks that May Compromise AI-as-a-Service Providers


Wiz research recently performed a security audit of Hugging Face and discovered several security issues that would have allowed an actor running a specially-crafted malicious model on Hugging Face's infrastructure to achieve remote code execution and cross-tenant access to other customers' spaces or models. All these issues were remediated by Hugging Face and no customer action is required.


Learn more in our blog.  


🐞 High Profile Vulnerabilities

DoS Vulnerability in HTTP/2 CONTINUATION Frames


HTTP allows for header and trailer fields in messages, which are serialized into blocks in HTTP/2 for fragment transmission. On April 3, 2024, several vulnerabilities were disclosed in software with HTTP/2 implementations that fail to adequately control or check the number of CONTINUATION frames within a stream. Attackers can exploit this by sending numerous CONTINUATION frames to a server, leading to memory issues or out-of-memory (OOM) crashes due to improper processing or excessive accumulation in the header list, potentially enabling denial-of-service (DoS) attacks.

Learn more here.


Critical Vulnerability in PAN-OS Exploited in-the-Wild


CVE-2024-3400 is a command injection vulnerability in the GlobalProtect feature of PAN-OS. The vulnerability may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Exploitation attempts have been observed in the wild, it is recommended to patch urgently.

According to Wiz data, 6% of cloud environments have resources vulnerable to the vulnerabilities mentioned above and exposed to the internet.

Learn more here.



AWS Amplify Role Takeover Vulnerability


Researchers identified flaws in AWS Amplify that allowed public assumption of IAM roles associated with Amplify projects. This could occur if the authentication component was removed using the Amplify CLI or Studio between August 2019 and January 2024, or for projects created with the CLI from July 2018 to August 2019. The vulnerability, tracked as CVE-2024-28056, led AWS to promptly issue a hotfix for the CLI, enhancing IAM security and modifying its Security Token Service to prevent further exploitation by blocking cross-account role assumptions. No customer action is required.

Learn more here.


Kubernetes Clusters Targeted in OpenMetadata Exploits

Researchers observed attackers exploiting critical vulnerabilities in the OpenMetadata platform to infiltrate Kubernetes environments for cryptomining. OpenMetadata, an open-source platform for managing data source metadata, was found to have several vulnerabilities (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254) in versions prior to 1.3.1 that allow attackers to bypass authentication and execute code remotely. It is recommended to upgrade OpenMetadata to the patched versions.

According to Wiz data, 5% of cloud environments have publicly exposed resources vulnerable to the vulnerabilities mentioned above.

Learn more here.


Critical 0day Vulnerability in CrushFTP Exploited in-the-Wild


CrushFTP recently released version 11.1.0 and highlighted that earlier versions below 11.1.0 and 10.7.1 contain a vulnerability permitting users to escape their VFS and download system files. This security flaw was assigned CVE-2024-4040 on April 22, 2024. Researchers have observed active exploitation attempts of this flaw in the wild. Users are advised to upgrade to the latest version of CrushFTP.


According to Wiz data, less than 1% of cloud environments have publicly exposed resources vulnerable to CVE-2024-4040.
Learn more in our blog.
  


🔓 Security Incidents & Campaigns

Compromise of Sisense Customer Data


Sisense have notified their customers of a breach in which customer data and credentials were compromised. Both Sisense and CISA have advised the company's customers to rotate their credentials. Check for any evidence of usage of Sisense products or services in your environment.
Learn more here.

APT28 Targeting Print Spooler Vulnerability for GooseEgg Deployment


Microsoft Threat Intelligence has disclosed activities by the Russian-based threat actor Forest Blizzard, also known as APT28 or Fancy Bear, linked to GRU’s Unit 26165. Forest Blizzard has been exploiting CVE-2022-38028, a vulnerability in the Windows Print Spooler service, since at least June 2020 to deploy a custom malware known as GooseEgg. These attacks have been targeting sectors such as government, non-governmental organizations, education, and transportation across Ukraine, Western Europe, and North America. In addition to CVE-2022-38028, the group has exploited other critical vulnerabilities, including CVE-2023-23397 in Microsoft Outlook and CVE-2023-38831 in WinRAR. It is recommended to look for indicators of compromise in your environment, and if any are identified, remove the files immediately and redeploy workloads from a known clean state.
Learn more here.


ArcaneDoor Campaign Targeting Cisco Adaptive Security Appliance 0day


Cisco has issued a warning regarding two zero-day vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls that have been exploited by a state-backed hacking group known as UAT4356 or STORM-1849. These vulnerabilities have been under attack since November 2023 as part of a cyber-espionage campaign called ArcaneDoor. It is recommended to look for indicators of compromise in your environment, and if any are identified, remove the files immediately and redeploy workloads from a known clean state.


Learn more here.


Hold on to your headphones!


Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen 


Listen on Spotify and Apple Podcasts.