Researchers at Sysdig found the vulnerability. The vulnerability in question is a flaw that allows remote code execution without authentication and affects Marimo versions before 0.20.4. Version 0.23.0 fixes the problem.
The quick weaponization of newly revealed flaws shows that threat actors keep a close eye on vulnerability disclosures and take advantage of them as soon as possible, between the time they are revealed and the time they are patched. It's wrong to think that attackers only target well-known platforms. Any web-based app that gets important notifications is open to attack, no matter how often it is used. The first attempt to take advantage of this vulnerability happened just 9 hours and 41 minutes after it was made public.
A credential theft operation happened in just a few minutes, even though there was no proof-of-concept code available at the time.
This behavior is in line with how human operators systematically target targets and confirm their findings after each session. There were four connections over 90 minutes, with breaks between each one. During this time, no malicious scripts, like cryptocurrency miners or hidden backdoors, were used.
The attacker made a working exploit based on the advisory description, connected to the unAuthenticated terminal endpoint, and started exploring the compromised environment by hand. One hour after their first attempt to break in, the threat actor went to the honeypot to look at the contents of the "env" file and make sure that no other threats were present within the specified time frame.
