As per sources, IBM recently fixed a security vulnerability named 'Hell’s Keychain' identified in IBM Cloud Databases for PostgreSQL, which could have exposed users to supply chain attacks. A researcher from cloud security firm Wiz, who first identified the vulnerability, described it as a first-of-its-kind supply-chain attack vector impacting a cloud provider’s infrastructure. According to Wiz researchers, the Hell's Keychain vulnerability consists of a chain of three exposed secrets (the Kubernetes service account token, the password to the private container registry, and credentials to the CI/CD server), that can be coupled with overly permissive network access to the internal build servers, which could allow threat actors to remotely execute code in customers' environments to read and modify data stored in PostgreSQL databases. Using these exposed secrets, an attacker could have access to IBM Cloud repositories storing software dependencies for PostgreSQL container images, and then, alter the trusted repositories and force PostgreSQL instances to run malicious code. As per IBM's advisory, the vulnerability has been patched and no action is required from the customers, as the fixes will be applied automatically, and said there is no evidence of malicious exploitation found. Currently, the Hell's Keychain vulnerability has not been assigned with any CVE identifier, however, Wiz company maintains a database of vulnerabilities and other security issues. The Hell's Keychain vulnerability also highlights the importance of proper secrets management, network controls, and tenant isolation, especially in large and complex cloud environments.
everal popular Android applications available on the Google Play Store are vulnerable to a path traversal-affiliated vulnerability known as the Dirty Stream attack. This vulnerabil...
The US confirms Russian hackers have breached water systems. They warn North American and European operators about ongoing attempts by pro-Russia activists to infiltrate their tech...
The Simone Veil hospital in Cannes, France, has become the latest target of cybercriminals, with the LockBit ransomware gang claiming to have accessed and published confidential da...