CISCO’s Secure FMC Being Exploited in 0-Day Attack, Targeting Firewalls
Zeroday attack attributed to Interlock ransomware group by CISCO
Continue ReadingAmazon
Amazon Workspace Client for Linux Token Vulnerability Fixed in Version 2025.0
Summary : Amazon patched a vulnerability in the Linux version of its Workspace’s client that improperly handles authentication tokens in versions from 2023.0 through 2024.8.
| OEM | Amazon |
| Severity | High |
| CVSS Score | 8.8 |
| CVEs | CVE-2025-12779 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
This flaw allows local users on the same machine such as in shared, multi-user environments to extract valid authentication tokens.
Often used to impersonate other users and gain unauthorized access to their virtual desktop sessions, exposing sensitive data and applications.
The issue does not allow remote exploitation, but it poses a significant risk in workplaces using shared Linux systems for Workspace’s access.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Improper Authentication Token Handling in Amazon WorkSpaces Client | CVE-2025-12779 | Amazon WorkSpaces client for Linux | High | 2025.0 |
Technical Summary
The root cause lies in insecure management of authentication tokens, enabling token extraction by unintended local users. This vulnerability was assigned to high severity, prompting Amazon to issue a fix in the 2025.0 version of the client.
The update improves session isolation and secures token handling, protecting against lateral token theft.
Users and Administrators are strongly advised to upgrade promptly to avoid unauthorized access risks associated with multi-user Linux setups commonly found in corporate or virtual machine environments.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-12779 | Amazon WorkSpaces client for Linux (versions 2023.0 through 2024.8) | Local users on shared Linux machines can extract authentication tokens due to improper token handling, allowing them to access other users’ Workspaces. | Unauthorized access to another user’s workspace |
Recommendations
- Update the Amazon Workspace’s client for Linux immediately to version 2025.0 or later.
Conclusion:
This vulnerability highlights the criticality of robust token security in virtual desktop clients, especially for environments with shared access.
Amazon’s swift patch release underscores the need for continuous vigilance and timely updates to maintain secure remote workspace solutions and prevent privilege escalation through token leakage. Upgrading to the patched version effectively mitigates the exposure and secures user sessions.
References:
Codefinger Ransomware attack encrypts Amazon S3 buckets
- Ransomware crew dubbed Codefinger targets AWS S3 buckets
- Sets data-destruct timer for 7 days
- Threat actors demand for Ransom payment made for the symmetric AES-256 keys required to decrypt it
Amazon S3 buckets encrypted using AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) and somehow the threat actors knew details of the keys. And this made them demand ransoms to demand the decryption key.
The campaign was discovered by Halcyon , and according to them the threat actors after exploiting the compromised keys, they called the “x-amz-server-side-encryption-customer-algorithm” header and use a locally stored AES-256 encryption key they generate to lock up the victims’ files. There is great chance that more cyber criminal groups can adopt the tactic and use.
The threat actor looks for keys with permissions to write and read S3 objects (s3:GetObject and s3:PutObject requests), and then launches the encryption process by calling the SSE-C algorithm, utilizing a locally generated and stored AES-256 encryption key.
“It is important to note that this attack does not require the exploitation of any AWS vulnerability but instead relies on the threat actor first obtaining an AWS customer’s account credentials,” Halcyon notes.
According to Halcyon, because the attack relies on AWS’s infrastructure for encryption, it is impossible to recover the encrypted data without the symmetric AES-256 keys required to decrypt it. Halcyon reported its findings to Amazon, and the cloud services provider told them that they do their best to promptly notify customers who have had their keys exposed so they can take immediate action.
In recent month hackers and cyber criminal have gained traction In recent months and have begun targeting their product gateways and find ways to extort customers using it.
Unlike traditional ransomware that encrypts files locally, this attack operates directly within the AWS environment, exploiting the inherent security of SSE-C to render data irretrievable without the attacker’s decryption keys says Halcyon team.
Ransomware capabilities gain new tactics where the threat actor first obtains an AWS customer’s account credentials and there is no know method that data can be recovered without paying the ransom.
As per AWS they encourage customers to utilize their security tools, such as IAM roles, Identity Center and Secrets Manager, to minimize credential exposure and improve defense postures.
Sources:
https://www.theregister.com/2025/01/13/ransomware_crew_abuses_compromised_aws/
www.Bleeping computers.com
Recent Comments