As per sources, IBM recently fixed a security vulnerability named 'Hell’s Keychain' identified in IBM Cloud Databases for PostgreSQL, which could have exposed users to supply chain attacks. A researcher from cloud security firm Wiz, who first identified the vulnerability, described it as a first-of-its-kind supply-chain attack vector impacting a cloud provider’s infrastructure. According to Wiz researchers, the Hell's Keychain vulnerability consists of a chain of three exposed secrets (the Kubernetes service account token, the password to the private container registry, and credentials to the CI/CD server), that can be coupled with overly permissive network access to the internal build servers, which could allow threat actors to remotely execute code in customers' environments to read and modify data stored in PostgreSQL databases. Using these exposed secrets, an attacker could have access to IBM Cloud repositories storing software dependencies for PostgreSQL container images, and then, alter the trusted repositories and force PostgreSQL instances to run malicious code. As per IBM's advisory, the vulnerability has been patched and no action is required from the customers, as the fixes will be applied automatically, and said there is no evidence of malicious exploitation found. Currently, the Hell's Keychain vulnerability has not been assigned with any CVE identifier, however, Wiz company maintains a database of vulnerabilities and other security issues. The Hell's Keychain vulnerability also highlights the importance of proper secrets management, network controls, and tenant isolation, especially in large and complex cloud environments.
Cisco issued a warning about a state-sponsored hacking group exploiting two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewal...
Citizen Lab's recent investigation revealed significant security vulnerabilities in various cloud-based pinyin keyboard apps, raising concerns about user privacy risks. Among t...
An unidentified attacker hacked the website of a Czech news service on April 23, 2024, and published a fake story claiming an assassination attempt on Slovakia’s newly elected pr...