Pace of exploit raises concerns
Exploitation activity was observed less than a day after the vulnerability became public, which, Sysdig noted, demonstrates threat actors quickly operationalizing new vulnerabilities (probably through automation).
Attackers could build a working exploit just from the advisory description and quickly start scanning for flawed instances. “Exfiltrated information included keys and credentials, which provided access to connected databases and potential software supply chain compromise,” Sysdig researchers said.
With patch windows collapsing significantly, runtime detection remains a primary and the only option, Sysdig noted. “Every attacker in this campaign followed the same post-exploitation playbook: execute a shell command via Python’s os.popen(), then exfiltrate the output over HTTP,” it said, adding that runtime rules can detect these attempts.
