APT45 Transitions from Cyber Espionage to Ransomware Attacks – Active IOCs
July 26, 2024Multiple GitHub Enterprise Server Vulnerabilities
July 26, 2024APT45 Transitions from Cyber Espionage to Ransomware Attacks – Active IOCs
July 26, 2024Multiple GitHub Enterprise Server Vulnerabilities
July 26, 2024Severity
High
Analysis Summary
Cybersecurity researchers have identified a privilege escalation vulnerability named ConfusedFunction impacting Google Cloud Platform's (GCP) Cloud Functions service.
This vulnerability allows attackers to access other services and sensitive data by escalating their privileges to the Default Cloud Build Service Account. This service account grants access to various GCP services including Cloud Build, Cloud Storage, Artifact Registry, and Container Registry. Such access can facilitate lateral movement and further privilege escalation within a victim's project potentially leading to unauthorized data access, updates, or deletions.
Cloud Functions offer a serverless execution environment for developers to create single-purpose functions triggered by specific cloud events without managing servers. However, researchers discovered that when a Cloud Function is created or updated, a Cloud Build service account with excessive permissions is also created posing a security risk. Attackers with access to create or update a Cloud Function could exploit this account to escalate their privileges and gain access to other interconnected GCP services, thus compromising security.
In response to this vulnerability, Google has updated the default behavior of Cloud Build to use the Compute Engine default service account mitigating the risk of misuse for new deployments. However, this fix does not apply to existing instances which still face potential security risks. Despite the fix, deploying a Cloud Function continues to trigger the creation of various GCP services necessitating the assignment of minimum, yet relatively broad permissions to the Cloud Build service account thus not eliminating the risk.
This incident underscores the complexity and inter-service communication issues within cloud providers' services that can lead to security vulnerabilities. While the ConfusedFunction vulnerability's severity has been reduced for future deployments the residual risk in existing instances highlights the need for users to remain vigilant and apply stringent security measures. Moreover, it serves as a reminder of the importance of responsible disclosure and prompt patching to safeguard against potential threats.
In related developments, researchers disclosed a medium-severity cross-site scripting (XSS) flaw in the Oracle Integration Cloud Platform resolved by Oracle in its latest Critical Patch Update. Additionally, researchers discovered three vulnerabilities in the ServiceNow cloud computing platform (CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217) which could be combined into an exploit chain to gain full database access and execute arbitrary code. These findings emphasize the ongoing need for robust security practices and continuous monitoring to protect cloud infrastructure from emerging threats.
Impact
- Information Disclosure
- Sensitive Data Theft
- Privilege Escalation
- Unauthorized Access
Affected Vendors
Remediation
- Ensure Cloud Build uses the Compute Engine default service account for new deployments to prevent misuse.
- Regularly audit and minimize permissions for Cloud Build service accounts, granting only the necessary access.
- Check existing Cloud Functions for potential exploitation and apply necessary security updates.
- Use RBAC to tightly control who can create or update Cloud Functions and manage service accounts.
- Use automated tools to continuously monitor and audit cloud environments for excessive permissions and potential misconfigurations.
- Implement continuous monitoring solutions to detect and respond to suspicious activities and anomalies in real time.
- Keep cloud services and applications up-to-date with the latest security patches and updates.
- Provide ongoing training for developers and administrators on secure coding practices and cloud security principles.
- Regularly audit cloud environments and configurations to identify and remediate security vulnerabilities.
- Ensure the latest Critical Patch Update (CPU) from Oracle is applied to mitigate the XSS vulnerability.
- Implement robust input validation and sanitization to prevent XSS and similar injection attacks.
- Continuously monitor applications for signs of XSS exploitation and other security issues.
- Restrict access to sensitive features and data to authorized users only.
- Conduct regular security reviews and penetration testing to identify and address potential vulnerabilities.
- Use WAFs to protect against common web application attacks, including those targeting identified vulnerabilities.