Key Vulnerabilities in Cloud Services

𝗢𝗳𝗳𝗶𝗰𝗲 𝗼𝗳 𝘁𝗵𝗲 𝗖𝗼𝗺𝗽𝘁𝗿𝗼𝗹𝗹𝗲𝗿 𝗼𝗳 𝘁𝗵𝗲 𝗖𝘂𝗿𝗿𝗲𝗻𝗰𝘆 (𝗢𝗖𝗖) suffered a recent cloud email breach, that highlighted critical vulnerabilities in email security and access management that have broader implications for all federally regulated institutions. 𝚂̲𝚞̲𝚖̲𝚖̲𝚊̲𝚛̲𝚢̲ ̲𝚘̲𝚏̲ ̲𝚝̲𝚑̲𝚎̲ ̲𝙾̲𝙲̲𝙲̲ ̲𝙱̲𝚛̲𝚎̲𝚊̲𝚌̲𝚑̲ ̲An attacker gained unauthorized access to a privileged administrative email account within the Microsoft environment. The breach went undetected for 8 months, during which sensitive government communications were silently exfiltrated. More than 150K email messages were compromised, affecting around 100 officials. The incident exposed critical shortcomings in access control enforcement, monitoring, and response protocols. 𝙺̲𝚎̲𝚢̲ ̲𝙵̲𝚊̲𝚒̲𝚕̲𝚞̲𝚛̲𝚎̲𝚜̲ ̲𝙸̲𝚍̲𝚎̲𝚗̲𝚝̲𝚒̲𝚏̲𝚒̲𝚎̲𝚍̲ 1. Overprivileged Access – An administrative account with wide mailbox visibility was compromised, facilitating prolonged data exfiltration. 2. Delayed Detection – Anomalous behavior went unnoticed for months, raising concerns about the efficacy of real-time monitoring and alerting. 3. Stale and Unlocked Service Accounts: There were no policies in place for password rotation, inactivity lockout, or login attempt lockout for service accounts, making them vulnerable to brute-force or credential stuffing attacks. 4. Unaddressed Internal Warnings – Known risks flagged in prior audits related to email and access security had not been remediated in time. 5. Insufficient Conditional Access Policy Enforcement – The compromised account, linked to Azure, bypassed MFA and geo restrictions due to a poorly enforced conditional access framework. VPN usage further masked malicious activity.   𝙻̲𝚎̲𝚜̲𝚜̲𝚘̲𝚗̲ ̲𝚕̲𝚎̲𝚊̲𝚛̲𝚗̲𝚎̲𝚍̲:̲ 1. Enforce Microsoft Conditional Access Policies – Ensure all accounts, including service accounts, are subject to robust Conditional Access, MFA, and geo-restrictions. 2. Tighten Access Control – Limit and monitor privileges of administrative and service accounts; apply just-in-time access models. 3. Audit and Harden Service Accounts – Eliminate hardcoded credentials, enforce regular password rotation, enable account lockouts after failed login attempts, and setinactivity thresholds. 4. Strengthen Detection – Invest in behavioral analytics, adaptive authentication, and cloud-native threat detection tools. 5. Review and Limit Privileges – Conduct a review of privileged accounts and implement RBAC and JIT access where possible. 6. Ensure compliance with secure baseline configurations like those in DHS CISA BOD 25-01 - Secure Cloud Baseline [SCuBA] (stated in OCC response) The 𝗢𝗖𝗖 𝗯𝗿𝗲𝗮𝗰𝗵 is a cautionary tale—reactive controls alone are insufficient in today’s environment. Proactive hardening of identity, access, and cloud email infrastructure must be a top priority. https://lnkd.in/ef_4DQ3V

VMware Hyperjacking Vulnerabilities: A Critical Threat to Virtual Environments Introduction: A Major Security Risk in Virtualized Systems Three newly discovered critical vulnerabilities in VMware’s virtual machine (VM) products have raised serious security concerns. These flaws enable hyperjacking attacks, where a hacker who compromises a single VM can take control of the hypervisor, gaining access to all other VMs on the system. Given VMware’s widespread use in enterprise, government, and cloud environments, the risks posed by these vulnerabilities are severe. Key Details: How Hyperjacking Works • Exploiting Virtual Machine Escape: • Virtual machines (VMs) typically operate in isolated environments to protect customer data and networks. • A hypervisor manages these VMs, ensuring they remain separate from one another. • The discovered vulnerabilities allow an attacker to break out of an isolated VM and seize control of the hypervisor, giving them full access to all VMs on that host. • Why This Attack Is So Dangerous: • Once the hypervisor is compromised, the attacker can access or manipulate all customer data stored in connected VMs. • Multi-tenant cloud environments (where multiple organizations share infrastructure) are especially vulnerable. • The breach eliminates traditional security boundaries, allowing attackers to move laterally across networks. • Security Expert Warning: • Researcher Kevin Beaumont emphasized that once a hypervisor is compromised, “all bets are off”, meaning traditional security protections become ineffective. • A successful attack could provide hackers with full administrative control over an entire virtualized infrastructure. Why It Matters: The Broader Implications • Enterprise and Cloud Security at Risk: Businesses, government agencies, and cloud service providers relying on VMware-based virtualization could see catastrophic breaches. • Potential for Espionage and Ransomware Attacks: Threat actors could steal sensitive data, install persistent backdoors, or deploy ransomware across an organization’s entire virtual infrastructure. • Urgent Need for Patching and Mitigation: Organizations using VMware virtual machines should immediately apply patches and review security controls to limit the blast radius of a potential breach. With virtualization technology forming the backbone of modern IT infrastructure, these VMware vulnerabilities highlight the growing risks in cloud and enterprise security. As hyperjacking attacks become more sophisticated, robust defenses, rapid patching, and proactive threat detection are essential to mitigating the threat.

2024 State of Cloud Security Study Key Insights A great morning read from Datadog ‘analyzed security posture data from a sample of thousands of organizations that use AWS, Azure, or Google Cloud.’ ↗️ Long-lived credentials -> remain a security risk, with 60% of AWS IAM users having access keys older than one year. Unused credentials are widespread, increasing attack surfaces across all cloud providers (AWS, Azure, GCP). Recommendation -> Shift to temporary, time-bound credentials & centralized identity management solutions. ↗️ Public access blocks on cloud storage increasing AWS S3 & Azure Blob Storage are increasingly using public access blocks, with S3 seeing 79% of buckets proactively secured. Recommendation -> Enable account-level public access blocks to minimize risks of accidental data exposure. ↗️ IMDSv2 adoption growing AWS EC2 instances enforcing IMDSv2 have grown from 25% to 47%, yet many instances remain vulnerable. Recommendation -> Enforce IMDSv2 across all EC2 instances & use regional settings for secure defaults. ↗️ Managed Kubernetes clusters Many clusters (almost 50% on AWS) expose APIs publicly, with insecure default configurations risking attacks. Recommendation -> Use private networks, enforce audit logs, & limit permissions on Kubernetes worker nodes. ↗️ 3rd-Party integrations pose supply chain risk 10% of third-party IAM roles are overprivileged, creating risks of AWS account takeover. Recommendation ->Limit permissions, enforce External IDs, & remove unused third-party roles. ↗️ Most cloud incidents caused by compromised cloud credentials Cloud incidents are often triggered by compromised credentials, particularly in AWS, Azure, & Entra ID environments. Patterns of Attack + Compromised identities + Escalation via GetFederationToken + Service enumeration + Reselling access + Persistence techniques Microsoft 365 -> Credential stuffing, bypassing MFA, & malicious OAuth apps for email exfiltration. Google Cloud -> Attackers leverage VPNs & proxies for crypto mining and follow common attack patterns. Recommendations -> Implement strong identity controls & monitor API changes that attackers may exploit. ↗️ Many cloud workloads are excessively privileged or run in risky configurations Overprivileged cloud workloads expose organizations to significant risks, including full account compromise & data breaches. Recommendation ->Enforce least privilege principles on all workloads. Use non-default service accounts with tailored permissions in Google Cloud. Avoid running production workloads in AWS Organization management accounts. The study shows improved adoption of secure cloud configurations -> better awareness + enforcement of secure defaults. However, risky credentials & common misconfigurations in cloud infrastructure remain significant entry points for attackers. P.s. use the info to strengthen your org cloud security posture. Full study report in the comment ⬇️ #cloudsecurity #cloudsec #cybersecurity

The CSA recently released a new report that shows top threats to cloud computing in 2024. Thales also released a report that describes top reasons for breaches in the cloud. 🧐 Here’s a summary and what you should know: Overall, “The survey […] shows a continuing drop in the ranking of traditional cloud security issues that are the responsibility of cloud service providers [...]” 🙌 Focusing on the top 4 from CSA, we have: 📌 Misconfiguration & inadequate change control 📌 Identity & Access Management (#IAM) ← why do you think I’m constantly talking about this and have entire courses & labs dedicated to this topic? 😉 📌 Insecure interfaces and #APIs 📌 Inadequate #cloudsecurity Strategy ⛔️ Misconfiguration & Inadequate Change Control ⛔️ ➡️ What this is: “Inadequate change control [...] can lead to improper configurations that remain undetected” “Misconfigurations are the incorrect or sub-optimal setup of cloud computing assets that can leave them vulnerable to unintended damage or external/internal malicious activity. Lack of cloud system knowledge or understanding of cloud security settings and nefarious intentions can result in misconfigurations” (train your team, folks 😉) 💡 Examples: - Secrets management - Disabled monitoring/logging - Ports/services left open/running - Storage access - Subdomain hijacking Etc… ⛔️ Identity & Access Management (IAM) ⛔️ I cover this a lot in other posts, workshops, training, etc, so I won’t expand on it here. ⛔️ Insecure Interfaces & APIs ⛔️ ➡️ What this is: “APIs and UIs become vulnerable for various reasons” 💡 Examples: - Inadequate authentication - Lack of encryption - Insufficient input validation, - Poor logging and monitoring, - Outdated or unpatched software etc… ⛔️ Inadequate Cloud Security Strategy ⛔️ ➡️ What this is: Strategically thinking about cloud deployments beforehand by “considering external factors, existing implementation, and selection of cloud technologies, priorities, and trends toward creating a high-level plan or approach.” 💡 Examples: Worries about vendor lock-in, out-of-control costs, picking the right tool/service for requirements today and in the future, etc… 👉👉 Shifting to the root causes from Thales, there are three I want to highlight because they have a common cause (human error): 📌 31% due to a misconfiguration or human error 📌 28% due to exploitation of a known vuln 📌 17% due to failure to use MFA for privileged user accounts 🙋♂️ I’d love to hear from you. What do you think about these results? Do they accurately represent your challenges? What you think leads to the top cloud threats and root causes of cloud data breaches? Let me know in the comments below! Also, be sure to share this with your colleagues. This is important info!

Why does 92% of cloud breaches start at the code layer? Among the 4 C’s of Cloud-Native Security — Cloud, Cluster, Container, and Code — the Code layer is the most vulnerable. Bugs and vulnerabilities originate here, even before anything is built. 𝐌𝐨𝐬𝐭 𝐂𝐨𝐦𝐦𝐨𝐧 𝐑𝐢𝐬𝐤𝐬 : RCE (Remote Code Execution): Lets attackers run code on your server. XSS (Cross-Site Scripting): Hijacks user sessions via browser scripts. SQL Injection: Pulls unauthorized data from databases. SSRF (Server-Side Request Forgery): Forces internal systems to leak data. Credential Hardcoding, Dependency Flaws, and Logic Bugs. If code is weak, the entire stack crumbles. This is why practices like 𝐋𝐢𝐧𝐭𝐢𝐧𝐠(code hygiene checks), Dependency Scanning (vulnerable library detection), and 𝐃𝐀𝐒𝐓 (Dynamic Application Security Testing) are critical. Among the major vendors out there; here is how Dynatrace and Sumologic helps: 𝐃𝐲𝐧𝐚𝐭𝐫𝐚𝐜𝐞’𝐬 𝐎𝐟𝐟𝐞𝐫𝐢𝐧𝐠 : Application Security Module: AI-driven detection of runtime vulnerabilities across production code and libraries. PurePath Tracing: Shows exactly which code and functions are executed — great for root-cause detection. Davis AI: Uses causal machine learning to detect anomalies in code behavior before breaches happen. Integration with DevSecOps Pipelines: Flags vulnerabilities early by integrating with CI/CD tools for scanning and linting. S𝐮𝐦𝐨𝐋𝐨𝐠𝐢𝐜’𝐬 𝐨𝐟𝐟𝐞𝐫𝐢𝐧𝐠 : Cloud SIEM: Real-time alerts for known and unknown threats Insight Trainer: Continuously learns to reduce false positives in threat detection. Copilot (AI Assistant): Helps analyze logs and surface code-layer security gaps. DAST and Dependency Scanning Support: Through integrations and log-based pattern detection during runtime 𝐓𝐡𝐞 𝐓𝐚𝐤𝐞𝐚𝐰𝐚𝐲: Both platforms help — tackle vulnerabilities early, as code is written or deployed. Dynatrace outperfoms in code tracing and runtime protection, while Sumo Logic leads in SIEM and log intelligence. They complement help close security gaps before they become breaches. Proactive investment in Observability and SIEM solutions is no longer an option, but a must. It helps, detect and mitigate code vulnerabilities early in the development process - drive significant cost savings and reduce the reliance on extensive Data Loss Prevention (DLP) solutions. According to a research by HackerOne; organizations could save up to 𝟑𝟎%, if they were to address code-level vulnerabilities early during development - a practice known as 𝐬𝐡𝐢𝐟𝐭𝐢𝐧𝐠 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐥𝐞𝐟𝐭. Do you agree? Feel free to add your thoughts. #cloudsecurity #observability #loganalytics #applicationmonitoring #twominutedigest

🚨 Your Secrets Are Not Safe! 🚨 A recent study using dummy AWS credentials (canary tokens) by Idan Ben Ari exposes the alarming rate at which exposed secrets can be exploited across various platforms. It’s time to wake up. Times to Compromise: NPM: Less than 1 minute ⏱️ PyPI: Approximately 2 minutes ⏱️ GitHub: Seconds after exposure ⚡ Pastebin: Around 1 hour 🕒 DockerHub: About 7 days 📅 BitBucket and GitLab: No accesses 🚫 It’s fascinating to see how quickly platforms like NPM and GitHub are targeted, almost instantaneously, highlighting their high-risk profiles. Conversely, BitBucket and GitLab showed no access attempts, possibly due to less frequent scanning or different user behaviors. These variations underscore the unpredictable nature of security threats and the need for a tailored approach to cloud security. Here’s what you can do: - Implement Real-Time Monitoring and Least Privilege: Utilize monitoring tools to detect unauthorized access immediately and enforce the principle of least privilege to minimize exposure. - Secure and Regularly Audit Unused Roles/Identities: Decommission/Protect unused AWS roles or identities and conduct regular audits to mitigate risks associated with stale credentials. - Lock Down Unused AWS Services: Disable or restrict access to unused AWS services to close potential entry points for attackers. - Utilize Canary Tokens Strategically: Place canary tokens in sensitive areas as early warning systems to alert on unauthorized access attempts, helping you proactively identify security vulnerabilities. This study is not just a warning—it’s a call to action. Secure your cloud environments now before your secrets lead to a security breach. 👉 Full article with all detailed testing methods/results in the comments! Stay vigilant... #cloudsecurity #aws #cybersecurity #infosec #ciem #TheyJustLogin

𝐂𝐥𝐨𝐮𝐝 𝐀𝐈 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲: 𝐖𝐡𝐚𝐭’𝐬 𝐋𝐮𝐫𝐤𝐢𝐧𝐠 𝐁𝐞𝐧𝐞𝐚𝐭𝐡 𝐭𝐡𝐞 𝐒𝐮𝐫𝐟𝐚𝐜𝐞? A recent report from #Tenable reveals a concerning reality: nearly 𝟕𝟎% of cloud AI workloads carry at least one unremediated #vulnerability—and the rest may simply be unaudited. The widespread reliance on default, overprivileged service accounts in platforms like Google Vertex AI (used by 𝟕𝟕% of organizations) is multiplying risks across every layer of the AI stack. From misconfigured data buckets to vulnerable open-source components, attackers have more entry points than ever—and the blast radius for even minor oversights can be enormous. The infamous OpenAI Redis library incident, which exposed user data, is just one example of how simple misconfigurations can lead to major privacy breaches. Security in cloud AI isn’t just about patching bugs—it’s about adopting a risk-based, platform-wide approach. Organizations need to merge human and machine identities, enforce least-privilege access, and embed security controls directly into the MLOps pipeline. As cloud AI workloads scale, so too must our security strategies. 𝐊𝐞𝐲 𝐭𝐚𝐤𝐞𝐚𝐰𝐚𝐲𝐬 𝟏. 𝐀𝐮𝐝𝐢𝐭 𝐚𝐧𝐝 𝐫𝐞𝐜𝐨𝐧𝐟𝐢𝐠𝐮𝐫𝐞 𝐝𝐞𝐟𝐚𝐮𝐥𝐭 𝐩𝐞𝐫𝐦𝐢𝐬𝐬𝐢𝐨𝐧𝐬—don’t let overprivileged accounts become your Achilles’ heel. 𝟐. 𝐀𝐝𝐨𝐩𝐭 𝐚 𝐮𝐧𝐢𝐟𝐢𝐞𝐝, 𝐫𝐢𝐬𝐤-𝐛𝐚𝐬𝐞𝐝 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐚𝐩𝐩𝐫𝐨𝐚𝐜𝐡—prioritize vulnerabilities by potential impact, not just technical severity. 𝟑. 𝐄𝐦𝐛𝐞𝐝 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐢𝐧𝐭𝐨 𝐞𝐯𝐞𝐫𝐲 𝐬𝐭𝐚𝐠𝐞 𝐨𝐟 𝐲𝐨𝐮𝐫 𝐀𝐈 𝐩𝐢𝐩𝐞𝐥𝐢𝐧𝐞—from data ingestion to model deployment. Let’s not just innovate—let’s protect. The future of AI depends on it. Security should be at the heart of every AI initiative, not just an afterthought. 𝐒𝐨𝐮𝐫𝐜𝐞: https://lnkd.in/gtQf-ZyG #AI #DigitalTransformation #GenerativeAI #GenAI #Innovation  #ArtificialIntelligence #ML #ThoughtLeadership #NiteshRastogiInsights 

Thanks to Google Cloud Security for their latest alert on Scattered Spider, who have pivoted their advanced social engineering and MFA-bypass attacks from retail to U.S. insurance firms—now specifically targeting IT support and help desk teams. This wave of intrusions highlights how attackers exploit not just credentials, but also gaps in identity governance and privileged access. For security teams, the key takeaways are: 🚩 Rigorous access controls: Limit how much access IT support and call center personnel have, especially to sensitive systems. 🚩 Effective privilege management: Quickly identify and reduce unnecessary, lingering, or excessive permissions that enable lateral movement post-compromise. 🚩 Monitor privilege escalation paths: Visibility into who can reset credentials or escalate access is critical for breaking the attack chain. 🚩 Support security awareness: Continuously educate support teams on verification and social engineering resistance. We must modernize our identity security approach to continuously validate effective permissions and monitor privilege boundaries—not just roles—to help contain the impact if attackers get in. This is crucial as social engineering and identity attacks become more sophisticated and sector-focused. https://lnkd.in/enYu5AFj #Cybersecurity #InfoSec #IdentitySecurity #ThreatIntel #LeastPrivilege

Security researchers from Sysdig recently discovered that hackers are using a novel method of exploiting cloud computing accounts by deploying virtual machines to participate in a blockchain-based content delivery service, circumventing traditional restrictions on cryptocurrency mining based on CPU and RAM usage by focusing on storage space and bandwidth. Researchers discovered an attack campaign where 6,000 micro instances were spawned across various AWS regions from a compromised account to engage in the Meson Network, gaining initial access to servers through known vulnerabilities in the Laravel PHP framework and WordPress misconfigurations. Detection methods advised by researchers include monitoring traffic spikes, storage usage, outbound connections, and anomalous AWS activity. This finding underscores the evolving tactics of hackers seeking to monetize compromised systems—reminiscent of previous incidents like proxyjacking reported by Akamai researchers. #Cybersecurity #CyberCrime #CloudSecurity #Blockchain

Did you know that 99% of cloud breaches occur because someone simply configured something wrong? (Gartner, 2025). Not sophisticated hackers. Not zero-day exploits. Just basic human error. And if you needed proof this prediction is spot-on, cybersecurity researchers just handed us a masterclass with over 20 critical misconfigurations discovered in Salesforce Industry Cloud. As someone who's spent years helping organizations secure their Salesforce environments, this hits close to home. The vulnerabilities researchers uncovered—with severity scores reaching 9.1 out of 10—expose exactly what keeps me continuing to advocate for data security training and awareness. We're talking about encrypted customer data, employee information, and system credentials becoming accessible to anyone who shouldn't have them. The most critical flaw (CVE-2025-43698) completely bypasses Field-Level Security, turning your carefully encrypted data into an open book. Here's what really highlights the challenge: Salesforce responded by clarifying that these issues "stem from customer configuration issues" and aren't inherent application vulnerabilities, while confirming they've patched the problems and updated their documentation. Meanwhile, security researchers point out that under the shared responsibility model, "a single missed setting could lead to the breach of thousands of records, with no vendor accountability." While we continue to chase low-code platform adoption in the name of speed and simplicity, this continues to lead to environments where one checkbox mistake can expose thousands of records. The convenience that makes these platforms attractive is the same thing that makes them dangerous when security becomes an afterthought instead of a foundation. Full report here: https://lnkd.in/g67_Pc_R Stay safe out there, folks. #CyberSecurity #Salesforce #CloudSecurity