Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks!
🔍 Highlights
Critical Vulnerability in NVIDIA Container Toolkit
Wiz Research uncovered a critical vulnerability, CVE-2024-0132, in the widely used NVIDIA Container Toolkit. The vulnerability allows attackers with control over a container image to escape the container and gain full access to the underlying host. It is strongly recommended to update the affected package to the latest version 1.16.2, while focusing on container hosts that might run untrusted container images.
According to Wiz data, 33% of cloud environments are impacted by CVE-2024-0132.
Learn more in our blog.
🐞 High Profile Vulnerabilities
Critical Vulnerability in Progress LoadMaster
CVE-2024-7591 is a critical security vulnerability (10/10 severity) affecting all versions of LoadMaster, including the Multi-Tenant (MT) Hypervisor. The flaw allows remote, unauthenticated attackers to execute arbitrary system commands through a specially crafted HTTP request targeting the management interface. It is recommended to install the patch and follow recommended security hardening practices.
According to Wiz data, less than 1% of cloud environments have resources vulnerable to CVE-2024-7591.
Learn more here.
Vulnerabilities in WhatsUp Gold Exploited in-the-Wild
Threat actors are exploiting two critical SQL injection vulnerabilities, CVE-2024-6670 and CVE-2024-6671, in the WhatsUp Gold network monitoring solution from Progress Software. Despite patches being released on August 16, many organizations have not yet updated, leading to active exploitation since August 30, shortly after the proof-of-concept (PoC) was published. Attackers use the software's legitimate functions to execute malicious PowerShell scripts and install various remote access tools (RATs), potentially for ransomware attacks.
According to Wiz data, less than 0.5% of cloud environments are vulnerable to CVE-2024-6670 and CVE-2024-6671.
Learn more here.
CloudImposer: Code execution vulnerability in Google Cloud Composer
Google Cloud Composer is a managed service for Apache Airflow. Tenable discovered that the Cloud Composer package was vulnerable to dependency confusion, which could have allowed attackers to inject malicious code when the package was compiled from source. This could have led to remote code execution on machines running Cloud Composer, which include various other GCP services as well as internal servers at Google. The dependency confusion stemmed from Google’s risky recommendation in their documentation to use the --extra-index-url argument when installing private Python packages. Following disclosure, Google fixed the dependency confusion vulnerability and also updated their documentation.
Learn more here.
Critical Vulnerability in Ivanti CSA Exploited in-the-Wild
Ivanti has disclosed a critical vulnerability (CVE-2024-8963) in its Cloud Service Appliance (CSA), which is being actively exploited. With a CVSS score of 9.4, the flaw allows unauthenticated attackers to exploit path traversal and access restricted functions. It can be chained with CVE-2024-8190 for further damage, such as bypassing admin authentication. CISA has included it in its KEV catalog, urging organizations to apply the fix by October 10, 2024.
Learn more here.
Critical Vulnerability in CUPS and IPP Packages
A security researcher disclosed details for a series of vulnerabilities impacting CUPS and IPP packages: CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. The vulnerabilities should be unlikely to exploit in many cloud environments due to their requirements for exposing UDP port 631, and requiring the victim to attempt to perform a print requests in the currently disclosed exploitation mechanism. The vulnerabilities received CVSS base scores ranging from 8.0 to 9.0. It is recommended to mitigate these vulnerabilities and apply patches once they are made available.
According to Wiz data, 83% of cloud environments have at least one instance of the affected packages in the vulnerable version ranges. However, considering the current known exploitation method, we estimate that cloud environments are highly unlikely to be exploited remotely, since printing devices are rarely used in the cloud, and UDP port 631 is rarely open.
Learn more in our blog.
🔒 Security Incidents & Campaigns
Godzilla Backdoor Exploiting Confluence Vulnerability
Researchers discovered a new attack exploiting the CVE-2023-22527. The attack uses an in-memory fileless backdoor, known as the Godzilla webshell. The Godzilla backdoor uses AES encryption for communication and remains in memory, making it difficult to identify. It is recommended to look for indicators of compromise in your environment, and if any are identified, remove the files immediately and redeploy workloads from a known clean state.
Learn more here.
Hadooken Malware Targeting Weblogic Servers
Researchers discovered a new Linux malware named " Hadooken" that specifically targets Oracle WebLogic servers. The malware exploits weak passwords to gain access and then deploys both Tsunami malware and a cryptominer. The attack flow involves using a combination of shell and Python scripts to download and execute the Hadooken malware, iterating over SSH data to move laterally within the network, and employing cron jobs for persistence. Additionally, Hadooken clears logs to avoid detection and potentially sets the stage for future ransomware deployment.
Learn more here.
Akira Ransomware Targeting Critical Vulnerability in SonicWall SSLVPN
SonicWall has issued a critical security warning for its firewall devices regarding CVE-2024-40766, an access control vulnerability that is now being exploited in the wild. This flaw impacts multiple versions of SonicWall Gen 5, 6, and 7 devices, allowing unauthorized access and the possibility of crashing the firewall, effectively bypassing network protections. SonicWall recommends immediate patching and enabling multi-factor authentication (MFA) and restricting firewall management and SSLVPN access to trusted sources to mitigate the risk of exploitation.
Learn more here.
DragonRank Targeting IIS Web Servers
Researchers identified a " DragonRank" campaign targeting countries in Asia and Europe. This group exploits web application services to deploy web shells and malware like PlugX and BadIIS, primarily for manipulating search engine rankings. The campaign has affected more than 35 IIS servers across various industries. DragonRank’s commercial activities suggest it is operated by a Simplified Chinese-speaking actor, engaging in both SEO manipulation and black hat SEO practices.
Learn more here.
Hold on to your headphones!
Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen 👏
Listen on Spotify and Apple Podcasts.