はてなブックマーク

38TB of data accidentally exposed by Microsoft AI researchers Wiz Research found a data exposure incident on Microsoft’s AI GitHub repository, including over 30,000 internal Microsoft Teams messages – all caused by one misconfigured SAS token Executive summary Microsoft’s AI research team, while publishing a bucket of open-source training data on GitHub, accidentally exposed 38 terabytes of additi

GameOver(lay): Easy-to-exploit local privilege escalation vulnerabilities in Ubuntu Linux affect 40% of Ubuntu cloud workloadsWiz Research discovered CVE-2023-2640 and CVE-2023-32629, two easy-to-exploit privilege escalation vulnerabilities in the OverlayFS module in Ubuntu affecting 40% of Ubuntu cloud workloads. CVE-2023-2640 and CVE-2023-32629 were found in the OverlayFS module in Ubuntu, which

Compromised Microsoft Key: More Impactful Than We ThoughtOur investigation of the security incident disclosed by Microsoft and CISA and attributed to Chinese threat actor Storm-0558, found that this incident seems to have a broader scope than originally assumed. Organizations using Microsoft and Azure services should take steps to assess potential impact. Microsoft and CISA recently disclosed a se

Are you up for a challenge?Today, we are launching "The Big IAM Challenge" — a cloud security Capture The Flag (CTF) event. The mission? Identify and exploit AWS IAM misconfigurations, and learn from real-world scenarios. Start Challenge Open to all skill levelsThis challenge is open to everyone - from beginners seeking to learn more about IAM security configurations to experienced professionals w

#BrokenSesame: Accidental ‘write’ permissions to private registry allowed potential RCE to Alibaba Cloud Database ServicesA container escape vulnerability, combined with accidental 'write' permissions to a private registry, opened a backdoor for Wiz Research to access Alibaba Cloud databases and potentially compromise its services through a supply-chain attack TL;DR Wiz Research has discovered a c

BingBang: AAD misconfiguration led to Bing.com results manipulation and account takeoverHow Wiz Research found a common misconfiguration in Azure Active Directory that compromised multiple Microsoft applications, including a Bing management portal Executive summaryWiz Research discovered a new attack vector in Azure Active Directory that exposed misconfigured applications to unauthorized access. T

OMIGOD: Critical Vulnerabilities in OMI Affecting Countless Azure CustomersWiz Research recently found 4 critical vulnerabilities in OMI, which is one of Azure's most ubiquitous yet least known software agents and is deployed on a large portion of Linux VMs in Azure. The Wiz Research Team recently found four critical vulnerabilities in OMI, which is one of Azure's most ubiquitous yet least known s

“Secret” Agent Exposes Azure Customers To Unauthorized Code ExecutionWiz Research recently discovered a series of alarming vulnerabilities that highlight the supply chain risk of open source code, particularly for customers of cloud computing services. Update September 18, 08:00AM EST - Microsoft updated its advisory and declared an auto-update for their PaaS service offerings that use vulnerable

ChaosDB: How we hacked thousands of Azure customers’ databasesAs part of building a market-leading CNAPP, Wiz Research is constantly looking for new attack surfaces in the cloud. Two weeks ago we discovered an unprecedented breach that affects Azure’s flagship database service, Cosmos DB. ** Update ** Learn how to protect your environment in our latest postNearly everything we do online these days

Black Hat 2021: DNS loophole makes nation-state level spying as easy as registering a domainWiz CTO Ami Luttwak discusses a new class of vulnerabilities discovered by Wiz Research, which exposed valuable dynamic DNS data from millions of endpoints worldwide. ** Update: we published a service that allows you to check whether your organization is vulnerable hereToday at Black Hat, Wiz CTO Ami Luttwa