CyberSecurity news

FlagThis - #azure

@www.microsoft.com //

Microsoft Focuses on AI Integration and Security - Microsoft is integrating AI into its products and services, pushing the boundaries of agentic user experience using Model Context Protocol (MCP) to enable AI models to interact with external services, enhance security and flexibility, while also defending against evolving identity attack techniques.
References: www.microsoft.com
Microsoft is aggressively integrating artificial intelligence across its products and services, striving to revolutionize the user experience. The company is focused on developing agentic systems that can work independently, proactively identify problems, suggest solutions, and maintain context across interactions. Microsoft envisions a future where AI agents will augment and amplify organizational capabilities, leading to significant transformations in various fields. To facilitate secure and flexible interactions, Microsoft is employing Model Context Protocol (MCP) to enable AI models to interact with external services.

As AI agents become more sophisticated and integrated into business processes, Microsoft recognizes the importance of evolving identity standards. The company is actively working on robust mechanisms to ensure agents can securely access data and act across connected systems, including APIs, code repositories, and enterprise systems. Microsoft emphasizes that industry collaboration on identity standards is crucial for the safe and effective deployment of AI agents.

To aid organizations in safely adopting AI, Microsoft Deputy CISO Yonatan Zunger shares guidance for efficient implementation and defense against evolving identity attack techniques. Microsoft CVP Charles Lamanna offers an AI adoption playbook, emphasizing the importance of "customer obsession" and "extreme ownership" for both startups and large enterprises navigating the age of AI. Lamanna suggests focusing on a few high-impact AI projects instead of spreading resources thinly across numerous pilots.

Recommended read:
References :
CISA@All CISA Advisories //

CISA Warns of SaaS Attacks Exploiting Misconfigurations - CISA warns that SaaS companies are targeted via cloud apps with weak security, as seen in the Commvault M365 threat where threat actors accessed client secrets for M365 backup SaaS solution hosted in Azure.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a potential broader campaign targeting Software-as-a-Service (SaaS) providers. This alert follows the discovery of unauthorized activity within Commvault's Microsoft Azure environment. CISA believes threat actors may have gained access to client secrets for Commvault's Metallic Microsoft 365 (M365) backup SaaS solution hosted in Azure. This access could allow the threat actors to compromise Commvault's customers' M365 environments where application secrets are stored by Commvault.

The suspected campaign exploits default configurations and elevated permissions in cloud applications, making SaaS companies with weak security a prime target. The initial incident involved a zero-day vulnerability, CVE-2025-3928, in Commvault's Web Server, allowing remote, authenticated attackers to create and execute web shells. Commvault confirmed that Microsoft notified them of the unauthorized activity in February 2025, leading to an investigation and remediation efforts. Despite the breach, Commvault assured customers that there was no unauthorized access to their backup data, and they have rotated app credentials for M365 as a preventative measure.

CISA has provided recommendations for users and administrators to mitigate such threats, including monitoring Entra audit logs for unauthorized modifications, reviewing Microsoft logs for suspicious activity, and implementing conditional access policies to restrict application service principal authentication to approved IP addresses. They also advise reviewing Application Registrations and Service Principals in Entra, restricting access to Commvault management interfaces, and deploying a Web Application Firewall to detect and block path-traversal attempts. These steps aim to strengthen the security posture of SaaS applications and prevent further exploitation of vulnerabilities.

Recommended read:
References :
  • The Register - Security: CISA says SaaS providers in firing line after Commvault zero-day Azure attack
  • thecyberexpress.com: Commvault Nation-State Campaign Could Be Part of Broader SaaS Threat: CISA
  • The Hacker News: CISA Warns of Suspected Broader SaaS Attacks Exploiting App Secrets and Cloud Misconfigs
  • www.csoonline.com: The US Cybersecurity and Infrastructure Security Agency (CISA) has warned about threat actors abusing Commvault’s SaaS cloud application, Metallic, to access its clients’ critical application secrets.
  • www.scworld.com: CISA warns of attacks on Commvault’s Microsoft Azure environment
  • www.techradar.com: Commvault attack may put SaaS companies across the world at risk, CISA warns
  • cyble.com: CISA Updates Advisory for Active Exploitation Targeting Commvault Metallic SaaS Cloud Platform
  • cyble.com: CISA Updates Advisory for Active Exploitation Targeting Commvault Metallic SaaS Cloud Platform
CISA@All CISA Advisories //

Cyber Threats Targetting Commvault’s Metallic Cloud Applications - CISA is monitoring cyber threat activity targeting Commvault’s SaaS Cloud Application (Metallic) hosted in Microsoft Azure, potentially part of a campaign exploiting default configurations and elevated permissions in SaaS companies.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding cyber threat activity targeting Commvault's SaaS Cloud Application (Metallic), which is hosted in Microsoft Azure. CISA believes this activity may be part of a broader campaign aimed at SaaS companies exploiting default configurations and elevated permissions in their cloud applications. This warning comes after Commvault disclosed an incident where a nation-state threat actor, later identified as Silk Typhoon, gained unauthorized access to their Azure environment in February 2025, exploiting a zero-day vulnerability (CVE-2025-3928) in the Commvault Web Server.

Commvault confirmed that the objective of the attackers was to acquire app credentials that could be used to breach companies' M365 environments. While Commvault has taken remedial actions, including rotating app credentials for M365, they emphasized that there has been no unauthorized access to customer backup data. The zero-day vulnerability, now added to CISA's Known Exploited Vulnerabilities Catalog, allows remote, authenticated attackers to create and execute web shells, posing a significant risk to affected systems. The vulnerability requires authenticated credentials in order to make use of it.

To mitigate these threats, CISA recommends that users and administrators closely monitor Entra audit logs for unauthorized modifications or additions of credentials to service principals initiated by Commvault applications. They also advise reviewing Microsoft logs (Entra audit, Entra sign-in, unified audit logs) and conducting internal threat hunting. Additionally, CISA suggests implementing conditional access policies that limit authentication of application service principals to approved IP addresses within Commvault's allowlisted range, restricting access to Commvault management interfaces, and deploying a Web Application Firewall to detect and block path-traversal attempts and suspicious file uploads. For single tenant apps, implement a conditional access policy that limits authentication of an application service principal to an approved IP address that is listed within Commvault's allowlisted range of IP addresses.

Recommended read:
References :
  • www.commvault.com: Commvault blogs on a customer security update.
  • The Hacker News: TheHackerNews post about broader SaaS Attacks Exploiting App Secrets and Cloud Misconfigs
  • The Register - Security: CISA says SaaS providers in firing line after Commvault zero-day Azure attack
  • thecyberexpress.com: Nation-state threat actors targeting Commvault applications hosted in Microsoft Azure may be part of a broader campaign targeting Software-as-a-Service (SaaS) applications, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned in an advisory this week.
  • www.scworld.com: CISA warns of attacks on Commvault’s Microsoft Azure environment
  • malware.news: China-linked ‘Silk Typhoon’ hackers accessed Commvault cloud environments, person familiar says
  • bsky.app: Advisory Update on Cyber Threat Activity Targeting Commvault’s SaaS Cloud Application (Metallic) | CISA
  • www.nextgov.com: China-linked Silk Typhoon hackers accessed Commvault cloud environments, person familiar says
  • www.techradar.com: Commvault attack may put SaaS companies across the world at risk, CISA warns
  • www.csoonline.com: CISA flags Commvault zero-day as part of wider SaaS attack campaign
  • cyble.com: CISA Updates Advisory for Active Exploitation Targeting Commvault Metallic SaaS Cloud Platform
  • cyble.com: CISA Updates Advisory for Active Exploitation Targeting Commvault Metallic SaaS Cloud Platform
@securityonline.info //

Critical Microsoft Cloud Vulnerabilities Confirmed with High Severity - Microsoft has confirmed several cloud security vulnerabilities in Azure services and Microsoft Power Apps, with one receiving a maximum critical rating of 10, highlighting significant risks and emphasizing the need for robust security measures and timely patching.
Microsoft has recently addressed several critical security vulnerabilities affecting its Azure cloud services and Microsoft Power Apps. The flaws, identified in Azure Automation, Azure Storage, Azure DevOps, and Microsoft Power Apps, highlighted the importance of proactive security measures within cloud-native development environments. One vulnerability, CVE-2025-29813, received the maximum Common Vulnerability Scoring System (CVSS) score of 10, indicating its severity.

The most critical vulnerability, found in Azure DevOps, allowed attackers with project-level access to escalate their privileges by exchanging short-term pipeline job tokens for long-term ones, potentially gaining extensive access within a project environment. Additional vulnerabilities included CVE-2025-29827 in Azure Automation, where improper authorization could enable a user to elevate privileges, CVE-2025-29972, an SSRF vulnerability in Azure Storage Resource Provider, and CVE-2025-47733 in Microsoft Power Apps, which allowed unauthorized information disclosure over a network through a Server-Side Request Forgery (SSRF).

Despite the severity of these vulnerabilities, Microsoft has assured users that no action is required on their part. The company has already mitigated the flaws at the platform level, preventing potential exploitation. These patches underscore Microsoft's commitment to maintaining a secure cloud environment and highlight the ongoing need for robust security practices within cloud-native development.

Recommended read:
References :
  • securityonline.info: Microsoft Patches Four Critical Azure and Power Apps Vulnerabilities, Including CVSS 10 Privilege Escalation
  • Talkback Resources: Microsoft addressed critical vulnerabilities in various Azure services, including Azure Automation, Azure Storage, Azure DevOps, and Microsoft Power Apps, emphasizing the need for proactive security measures in cloud-native development environments.
  • Davey Winder: Microsoft has confirmed several cloud security vulnerabilities, including one with a maximum critical rating of 10.
  • Davey Winder: Critical 10/10 Microsoft Cloud Security Vulnerability Confirmed

Posts

Blogs

Research Tools