Welcome back! This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure. Let's dive in.
Here are our top picks!
🔍 Highlights
Supply Chain Attack on lottie-player
On October 30, 2024, a supply chain attack was initiated against the popular JavaScript library lottie-player, injecting malicious code that populates a Web3 wallet connection prompt on legitimate websites using the library, potentially targeting prominent cryptocurrency platforms and other high-traffic websites. The compromised versions of lottie-player were later removed from major CDNs and npm, but websites still using compromised versions of the library remain affected.
Learn more in our blog.
🐞 High Profile Vulnerabilities
Critical Vulnerabilities in Palo Alto Expedition
Palo Alto Networks’ Expedition tool contains multiple critical vulnerabilities (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, CVE-2024-9467), including OS command injection, SQL injection, cleartext storage of sensitive information, and cross-site scripting (XSS). These issues, with CVSS scores reaching 9.9, expose systems running Expedition to unauthorized access, credential theft, and administrative takeover. Exploitation requires minimal complexity and no user interaction, posing a critical risk to systems unless addressed promptly.
According to Wiz data, less than 1% of cloud environments have resources vulnerable to these vulnerabilities.
Learn more here.
Ivanti CSA Vulnerabilities Exploited in-the-Wild
Researchers released a report detailing an advanced attack on Ivanti Cloud Services Appliance (CSA), where adversaries exploited three vulnerabilities, CVE-2024-8190, CVE-2024-8963 and CVE-2024-9380. The attackers used a chaining strategy to gain unauthorized access to the target network and escalated their actions to extract credentials and maintain persistence.
According to Wiz data, less than 0.5% of cloud environments have resources vulnerable to these vulnerabilities.
Learn more here.
Critical Vulnerability in Kubernetes Image Builder
A critical vulnerability (CVE-2024-9486) in the Kubernetes Image Builder allows attackers to gain root access by exploiting default credentials in virtual machine (VM) images built using the Proxmox provider. The flaw has been addressed in version 0.1.38 of the Kubernetes Image Builder. Other providers like Nutanix, OVA, QEMU, and raw are also affected by a lower-severity issue (CVE-2024-9594), which involves similar default credential risks during the image build process. Users are advised to update to the patched version to protect their systems.
Learn more here.
Critical RCE Vulnerability in FortiManager Exploited in-the-Wild
Researchers identified a zero-day vulnerability, CVE-2024-47575, impacting FortiManager, exploited by the UNC5820 group. This flaw allows unauthorized access, enabling threat actors to exfiltrate critical configuration data. The vulnerability has been actively exploited, with compromised devices traced to connections from specific IP addresses. Fortinet has released mitigations and version updates to address this issue.
According to Wiz data, less than 1% of cloud environments have resources vulnerable to CVE-2024-47575.
Learn more here.
🔒 Security Incidents & Campaigns
perfctl Malware Targeting Linux
Researchers investigated the " perfctl malware," a Linux malware targeting misconfigurations and vulnerabilities on Linux servers. Perfctl employs rootkits, privilege escalation exploits, and cryptomining activities. It also uses tactics such as process masquerading and deleting binaries after execution, making detection and removal challenging.
Learn more here.
Storm-0501 Targeting Hybrid Environments with Ransomware
Storm-0501 has been observed conducting multi-staged attacks targeting hybrid cloud environments across various U.S. sectors, including government and manufacturing. These attacks involve lateral movement from on-premises environments to the cloud, leading to data exfiltration, credential theft, and ransomware deployment. Storm-0501, a financially motivated cybercriminal group, exploits weak credentials, leverages commodity tools like Cobalt Strike, and uses ransomware, including the Embargo strain, to achieve its objectives.
Learn more here.
APT29 Targeting Zimbra and TeamCity Servers
The U.S. and U.K. cyber agencies have issued a joint advisory warning about Russian Foreign Intelligence Service (SVR)-linked attackers, tracked as APT29 (a.k.a Cozy Bear or Midnight Blizzard). These actors are exploiting vulnerabilities in Zimbra and JetBrains TeamCity servers to gain unauthorized access, steal credentials, and enable ransomware and supply chain attacks.
Learn more here.
TeamTNT Targeting Exposed Docker Daemons
Researchers observed TeamTNT, a threat group known to target cloud environments, in a campaign targeting cloud-native environments by compromising exposed Docker daemons. Using Docker Hub to distribute malware, the group employs cryptominers and the Sliver malware, enhancing their command and control capabilities. It is recommended to search for indicators of compromise in your environment, if any findings are identified, remove the files immediately and re-deploy workloads from a known clean state.
Learn more here.
Hold on to your headphones!
Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen 👏
Listen on Spotify and Apple Podcasts.