Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks of cloud security highlights!
Hype or no hype – Codefinger Ransomware Campaign Targeting S3 Buckets
Codefinger is a ransomware campaign that exploits AWS Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data in Amazon S3 buckets. While this campaign has sparked widespread concern, we argue that the panic is unwarranted. Many have focused on detecting unwanted SSE-C encryption as a mitigation strategy, but encryption is merely a tactic chosen by the attacker after gaining access—it is not the core issue. The real concern, which is neither new nor unique, is the use of compromised credentials. This is where prevention should be prioritized.
The best way to mitigate this threat is by preventing unauthorized access in the first place. Organizations should ensure credentials are secure, enforce least privilege, and eliminate publicly exposed S3 buckets with full read/write permissions. In addition, data protection measures, such as S3 Object Lock, versioning, and comprehensive backup strategies, are essential to limiting the impact of ransomware.
In summary, Codefinger does not introduce a novel attack technique, and these security best practices remain relevant for defending against similar threats.
🔍 Highlights
Exposed DeepSeek Database Leaking Sensitive Information
DeepSeek, a Chinese AI startup, has recently attracted significant media attention for its advanced AI models, particularly the DeepSeek-R1 reasoning model. This model competes with leading AI systems like OpenAI’s o1 in performance while offering notable cost-effectiveness and efficiency. As DeepSeek gained recognition in the AI space, the Wiz Research team conducted an assessment of its external security posture to identify potential vulnerabilities. Within minutes, the team discovered a publicly accessible ClickHouse database linked to DeepSeek, which was entirely open and unauthenticated, exposing sensitive data. The database, hosted at oauth2callback.deepseek.com:9000 and dev.deepseek.com:9000, contained a substantial volume of chat history, backend data, and confidential information, including log streams, API secrets, and operational details. More critically, the exposure provided full database control and the potential for privilege escalation within the DeepSeek environment, with no authentication or defense mechanisms in place to protect against external access.
Learn more in our blog.
Critical RCE Vulnerability in Aviatrix Controller
CVE-2024-50603 is a critical code execution vulnerability impacting Aviatrix Controller with the maximum CVSS score of 10.0. This command injection flaw allows unauthenticated attackers to execute arbitrary commands on the system remotely. The vulnerability stems from the improper neutralization of user-supplied input, and has been addressed in patched versions 7.1.4191 and 7.2.4996. An exploit has been published, increasing the likelihood of exploitation in the wild. It is recommended to upgrade Aviatrix Controller to the patched versions.
Learn more in our blog.
🐞 High Profile Vulnerabilities
0day RCE Vulnerability in Ivanti Products Exploited in-the-Wild
Ivanti stated they are investigating active exploitation of two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, in Ivanti Connect Secure (ICS) VPN appliances. CVE-2025-0282, a zero-day vulnerability, has been exploited since December 2024 for unauthenticated remote code execution. The campaign involves multiple malware families and possibly several threat actors, including the China-nexus actor UNC5337. It is recommended to upgrade Ivanti Connect Secure products to the newest versions. Please note, since the Connect Secure appliances disks are encrypted Wiz is unable to perform malware scanning. Ivanti has released patches and advises customers to follow its Security Advisory.
According to Wiz data, less than 1% of cloud environments have resources vulnerable to these vulnerabilities.
Learn more here.
Critical Vulnerability in FortiOS Exploited in-the-Wild
A critical vulnerability, CVE-2024-55591, affecting FortiOS and FortiProxy, allows remote attackers to bypass authentication and gain super-admin privileges by sending crafted requests to the Node.js WebSocket module. This issue is actively being exploited in the wild and it is recommended to patch vulnerable instances as soon as possible.
According to Wiz data, 3% of cloud environments have resources vulnerable to CVE-2024-55591.
Learn more here.
Critical Vulnerability in Rsync File-Synchronizing Tool
Several vulnerabilities have been identified in the Rsync file-synchronization tool, with one (CVE-2024-12084) being critical, allowing remote code execution on vulnerable servers. These vulnerabilities include heap buffer overflows, information leaks, path traversal issues, and a race condition in symbolic link handling. Exploitation can lead to sensitive data leaks, arbitrary file writes, and code execution. It is recommended to upgrade Rsync to a patched version.
Learn more here.
🔒 Security Incidents & Campaigns
Supply Chain Attack on Kong Ingress Controller
On December 23, 2024, an unauthorized image of Kong Ingress Controller v3.4.0 was uploaded to DockerHub. This image contained malicious code that facilitated cryptojacking by making calls to a cryptocurrency mining site. Users are advised to remove that image from any internal registries & clusters and ensure that the remediated image is pulled. This attack follows several previous supply chain attacks for cryptojacking in the past few months, such as the Ultralytics attack.
Learn more here.
Codefinger Ransomware Campaign Targeting S3 Buckets
Researchers discovered a ransomware campaign leveraging AWS Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data in Amazon S3 buckets. The attack, orchestrated by the threat actor "Codefinger," uses compromised AWS credentials to encrypt files securely. Victims are forced to pay ransoms to obtain the AES-256 keys needed for decryption. This method does not exploit AWS vulnerabilities but abuses legitimate features.
Learn more here.
Hold on to your headphones!
Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen 👏
Listen on Spotify and Apple Podcasts.