U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Threat actors exploit Aviatrix Controller flaw to deploy backdoors and cryptocurrency miners

A critical vulnerability in Aviatrix Controller is actively exploited to deploy backdoors and cryptocurrency miners in the wild. A security researcher Jakub Korepta discovered a critical vulnerability, tracked as CVE-2024-50603 (CVSS score: 10.0), in the Aviatrix Controller. The flaw impacts Aviatrix Controller pre-7.1.4191 and 7.2.x pre-7.2.4996, it allows unauthenticated attackers to execute arbitrary code via improper command […]

Aviatrix Controller

A critical vulnerability in Aviatrix Controller is actively exploited to deploy backdoors and cryptocurrency miners in the wild.

A security researcher Jakub Korepta discovered a critical vulnerability, tracked as CVE-2024-50603 (CVSS score: 10.0), in the Aviatrix Controller.

The flaw impacts Aviatrix Controller pre-7.1.4191 and 7.2.x pre-7.2.4996, it allows unauthenticated attackers to execute arbitrary code via improper command neutralization in the API.

The vulnerability is caused by the improper neutralization of user-supplied input, and has been addressed in patched versions 7.1.4191 and 7.2.4996

The Wiz Incident Response team reported that threat actors are exploiting the flaw in attacks in the wild to deploy backdoors and cryptocurrency miners.

“The Wiz Incident Response team is currently responding to multiple incidents involving CVE-2024-50603, an Aviatrix Controller unauthenticated RCE vulnerability, that can lead to privileges escalation in the AWS control plane.” reads the advisory published by Wiz. “Organizations should patch urgently.”

A proof-of-concept (PoC) exploit is publicly available.

Aviatrix’s PSIRT confirmed the active exploitation of the flaw.

“A vulnerability could allow an unauthenticated user to execute arbitrary command against Aviatrix Controllers.” reads the PSIRT’s advisory. “Aviatrix has seen indications that bad actors are attempting to exploit this vulnerability, and strongly recommends that you take action to protect your controllers.”

In AWS, Aviatrix Controller’s default privilege escalation amplifies the risk of exploitation, enabling cryptojacking and backdoor attacks, per Wiz Research.

According to data gathered by Wiz, around 3% of cloud enterprise environments have Aviatrix Controller deployed. The experts warn that 65% of such environments, the virtual machine hosting Aviatrix Controller, has a lateral movement path to administrative cloud control plane permissions. 

Threat actors exploit the vulnerability to mine cryptocurrency with XMRig, deploy Sliver backdoors, and likely enumerate cloud permissions for potential data exfiltration.

“Our investigation of these instances has shown that the threat actors exploiting this vulnerability are abusing their access to mine cryptocurrency using XMRig and deploy Sliver backdoors, presumably for persistence purposes (to avoid losing access if the infected machine is patched).” Wiz concludes.

“While we have yet to see direct evidence of cloud lateral movement, we do believe it likely that threat actors are utilizing the vulnerability to enumerate the cloud permissions of the host and then pivot to exfiltrating data from the victims’ cloud environments.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Aviatrix Controller)