Cryptojacking, backdoors abound as fiends abuse Aviatrix Controller bug

"Several cloud deployments" are already compromised following the disclosure of the maximum-severity vulnerability in Aviatrix Controller, researchers say.

CVE-2024-50603 leads to remote code execution (RCE) and default deployments of Aviatrix Controller in AWS allow for privilege escalation, making it especially dangerous.

That threat is compounded by the fact that the vulnerability, which was disclosed on January 7, now has a proof-of-concept (PoC) exploit publicly available. A separate researcher published it online within a day of the initial disclosure, a generally frowned-upon practice as it fails to offer defenders adequate time to apply any patches.

For example, even though the latest Ivanti vulnerability was already exploited as a zero-day by the time it was disclosed on January 8, some researchers are holding off until later this week to publish their PoCs to prevent the masses from getting their hands on an attack blueprint.

Aviatrix Controller is used to help manage and automate AWS deployments and is run by approximately 3 percent of all AWS customers, the researchers at Wiz said - a relatively small proportion of all customers.

However, the security vendor said that in 65 percent of these cloud environments, where Aviatrix Controller is deployed on a virtual machine, there is a lateral movement path that allows attackers to gain admin permissions.

"We estimate that the reason for this is that, by default, Aviatrix Controller is granted high IAM privileges in AWS cloud environments through the roles it can assume, which must be allowed to perform IAM actions in order to function properly (according to the vendor's documentation)," the researchers wrote.

"This lateral movement potential makes Aviatrix Controller a prime target for threat actors aiming to move laterally and escalate their privileges in the cloud environment once gaining initial access to the controller via exploitation of this RCE."

The successful exploits already observed by researchers led to malware deployment, mainly involving Silver backdoors for persistent access, while others focused on cryptojacking using XMRig – a common move for cloud compromises that can result in hefty compute bills for the customer.

Wiz said it hasn't seen any lateral movement from attackers so far, but it believes they're gathering up cloud permissions to use for data exfiltration at a later date. So extortion could become a factor if left unaddressed.

• Nominet probes network intrusion linked to Ivanti zero-day exploit
• Look for the label: White House rolls out 'Cyber Trust Mark' for smart devices
• Zero-day exploits plague Ivanti Connect Secure appliances for second year running
• Security pros baited with fake Windows LDAP exploit traps

In all cases seen so far, compromised environments were exposed to the internet and had the patches for the last known Aviatrix Controller RCE (CVE-2021-40870) applied, suggesting that it was indeed the latest bug that was exploited.

Wiz said the successful attacks were carried out between January 7 and 10. It published the findings the following day, and it's unclear whether any more have happened since. Aviatrix said in its advisory on January 7 that it wasn't aware of any exploit activity at the time.

At the time of the vulnerability's disclosure, Jakub Korepta, head of infrastructure security at Polish vendor SecuRing and the individual who found the bug, noted that a Shodan scan revealed 681 publicly exposed Aviatrix Controllers.

Defenders can upgrade to version 7.2.4996, which is not vulnerable to CVE-2024-50603. The bug affects versions before 7.1.4191 and those between 7.2.x and 7.2.4. It's a good idea to prevent public access to the controller via port 443 too, if possible.

Additionally, Aviatrix has a patch available for vulnerable controllers, although it said it may need to be reapplied in certain circumstances. It found the fix wasn't "fully persistent across controller upgrades" in all cases, even though the controller's status may read 'patched.' 

The vendor said that if a vulnerable version was patched but later updated to a version prior to 7.1.4191 or 7.2.4996, it would need repatching.

Also, if that controller doesn't have an associated CoPilot running version 4.16.1 or later, then it's time to patch again. ®