CyberSecurity news

FlagThis - #cloudsecurity

@cyberpress.org //

New Method Steals Microsoft Entra Refresh Tokens - Attackers are stealing Microsoft Entra refresh tokens using Beacon Command & Control frameworks, bypassing detection mechanisms and exploiting legacy authentication protocols to bypass MFA and Conditional Access, posing significant risks to enterprise cloud environments.
References: cyberpress.org , gbhackers.com , MeatMutts ...
A new method has emerged for stealing Microsoft Entra refresh tokens using Beacon Command & Control (C2) frameworks. This novel technique leverages browser-based authorization flows and Windows API functions to bypass traditional detection mechanisms, allowing attackers to maintain persistent access to cloud resources, even on devices not joined to a domain. The exploit utilizes Beacon Object Files (BOFs) to extract Entra tokens from compromised endpoints, posing a significant risk to enterprise cloud environments. By exploiting the OAuth 2.0 authorization code flow with modifications for offensive operations, attackers can initiate a hidden browser session and scrape the authorization code from the browser window title using the GetWindowTextA Win32 API.

The attack method capitalizes on First-Party Client IDs (FOCI) such as Microsoft Teams, allowing access to multiple Microsoft services through "family refresh tokens." This provides operational advantages by blending token requests with legitimate user activity as they originate from the compromised host's IP address. Furthermore, it is compatible with Bring Your Own Device (BYOD) scenarios, where traditional Primary Refresh Token (PRT) extraction methods fail. After acquiring refresh tokens, attackers can conduct AzureAD reconnaissance via tools like ROADrecon.

A separate but related flaw in Microsoft Entra ID's legacy login process has also been exploited to bypass MFA and Conditional Access, targeting admin accounts across various sectors including finance, healthcare, manufacturing, and technology. This vulnerability resides in the Basic Authentication Version 2 – Resource Owner Password Credential (BAV2ROPC), a legacy login method that allows authentication using simple usernames and passwords. The attacks, which occurred between March 18 and April 7, 2025, demonstrate the dangers of outdated authentication protocols in cloud environments, highlighting how attackers can circumvent modern protections by exploiting compatibility features within Entra ID.

Recommended read:
References :
  • cyberpress.org: A novel technique for extracting Microsoft Entra refresh tokens via Beacon Command & Control (C2) frameworks has emerged, leveraging browser-based authorization flows and Windows API functions to bypass traditional detection mechanisms.
  • gbhackers.com: A novel exploit method leveraging Beacon Object Files (BOFs) has emerged, enabling attackers to extract Microsoft Entra (formerly Azure AD) tokens from compromised endpoints
  • cyberpress.org: Legacy Protocol Flaws in Microsoft Entra ID Let Hackers Bypass MFA and Conditional Access
  • MeatMutts: Legacy Authentication Exploited: Microsoft Entra ID Breach Exposes Cloud Security Risks
@securityonline.info //

Critical Microsoft Cloud Vulnerabilities Confirmed with High Severity - Microsoft has confirmed several cloud security vulnerabilities in Azure services and Microsoft Power Apps, with one receiving a maximum critical rating of 10, highlighting significant risks and emphasizing the need for robust security measures and timely patching.
Microsoft has recently addressed several critical security vulnerabilities affecting its Azure cloud services and Microsoft Power Apps. The flaws, identified in Azure Automation, Azure Storage, Azure DevOps, and Microsoft Power Apps, highlighted the importance of proactive security measures within cloud-native development environments. One vulnerability, CVE-2025-29813, received the maximum Common Vulnerability Scoring System (CVSS) score of 10, indicating its severity.

The most critical vulnerability, found in Azure DevOps, allowed attackers with project-level access to escalate their privileges by exchanging short-term pipeline job tokens for long-term ones, potentially gaining extensive access within a project environment. Additional vulnerabilities included CVE-2025-29827 in Azure Automation, where improper authorization could enable a user to elevate privileges, CVE-2025-29972, an SSRF vulnerability in Azure Storage Resource Provider, and CVE-2025-47733 in Microsoft Power Apps, which allowed unauthorized information disclosure over a network through a Server-Side Request Forgery (SSRF).

Despite the severity of these vulnerabilities, Microsoft has assured users that no action is required on their part. The company has already mitigated the flaws at the platform level, preventing potential exploitation. These patches underscore Microsoft's commitment to maintaining a secure cloud environment and highlight the ongoing need for robust security practices within cloud-native development.

Recommended read:
References :
  • securityonline.info: Microsoft Patches Four Critical Azure and Power Apps Vulnerabilities, Including CVSS 10 Privilege Escalation
  • Talkback Resources: Microsoft addressed critical vulnerabilities in various Azure services, including Azure Automation, Azure Storage, Azure DevOps, and Microsoft Power Apps, emphasizing the need for proactive security measures in cloud-native development environments.
  • Davey Winder: Microsoft has confirmed several cloud security vulnerabilities, including one with a maximum critical rating of 10.
  • Davey Winder: Critical 10/10 Microsoft Cloud Security Vulnerability Confirmed
@www.microsoft.com //

Cryptojacking Attacks Target Unsecured Kubernetes Clusters - Microsoft Threat Intelligence reports a rise in attacks targeting unsecured Kubernetes clusters for illicit cryptocurrency mining, exploiting unsecured workload identities and inactive accounts.
Microsoft Threat Intelligence is reporting a significant rise in cyberattacks targeting unsecured Kubernetes clusters. These attacks are primarily aimed at illicit cryptocurrency mining, with threat actors exploiting vulnerabilities such as unsecured workload identities and inactive accounts to gain unauthorized access to containerized environments. Data from Microsoft indicates that a concerning 51% of workload identities remained inactive in the past year, creating numerous potential entry points for attackers. The increasing adoption of containers-as-a-service among organizations has expanded the attack surface, making it more attractive for cybercriminals seeking to profit from stolen computing resources.

The dynamic nature of Kubernetes environments poses significant challenges for security teams. The rapid deployment and scaling of containers make it difficult to detect runtime anomalies and trace the origins of security breaches. Attackers often exploit misconfigured resources, outdated container images, inadequate network segmentation, and overly permissive access controls to infiltrate these environments. Observed attack vectors include compromising cloud credentials, deploying malicious container images, exploiting the Kubernetes API, conducting node-level and pod escape attacks, and injecting unauthorized network traffic. A recent example involved the use of the AzureChecker.exe tool to launch password spray attacks against cloud tenants, leading to the creation of cryptomining containers within compromised resource groups.

To combat these evolving threats, Microsoft has been working with MITRE to update the Kubernetes threat matrix and the ATT&CK for Containers matrix. This provides a structured framework for organizations to systematically assess and mitigate attack surfaces in containerized environments. Security best practices highlighted include implementing immutable container policies, enforcing strong authentication, employing rigorous vulnerability management, using admission controllers, establishing image assurance policies, and continuously monitoring API activity. Furthermore, a Docker malware campaign has been discovered exploiting Teneo Web3 nodes by faking heartbeat signals to earn crypto, showcasing the diverse methods attackers are using to generate revenue from compromised container environments.

Recommended read:
References :
  • www.microsoft.com: Understanding the threat landscape for Kubernetes and containerized assets
  • Cyber Security News: Cyberpress: Unsecured Kubernetes Clusters Targeted by Threat Actors for Crypto Mining
  • The Hacker News: Docker Malware Exploits Teneo Web3 Node to Earn Crypto via Fake Heartbeat Signals
  • Microsoft Security Blog: Understanding the threat landscape for Kubernetes and containerized assets
David Jones@cybersecuritydive.com //

CISA Warns of Credential Risks After Oracle Leak - CISA warned of increased breach risks following a compromise of legacy Oracle Cloud servers and recommends password resets, source code reviews for credentials, and monitoring of authentication logs.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning on April 17, 2025, regarding increased breach risks following a potential compromise of legacy Oracle Cloud servers. This alert comes in response to public reporting of alleged threat activity targeting Oracle customers, though the scope and impact of the activity are currently unconfirmed. CISA's guidance urges organizations and individuals to take immediate steps to secure their IT environments amid claims of a large trove of customer credentials being compromised. The agency is also asking organizations to come forward if they detect suspicious activity or other evidence of a compromise.

CISA is particularly concerned about situations where credential material may be exposed, reused across separate and unaffiliated systems, or embedded into applications and tools. Embedded credential material, which can be hardcoded into scripts, applications, infrastructure templates, or automation tools, is especially difficult to detect and can enable long-term unauthorized access if exposed. The compromise of credentials like usernames, emails, passwords, authentication tokens, and encryption keys can pose a significant risk to enterprise environments.

To mitigate these risks, CISA recommends organizations reset passwords for known affected users, especially those not federated through enterprise identity solutions. Additionally, they should review source code, infrastructure as code templates, automation scripts, and configuration files for hardcoded credentials, replacing them with secure authentication methods supported by centralized secret management. Monitoring authentication logs for anomalous activity, particularly using privileged, service, or federated identity accounts, is also crucial. Finally, CISA advises enforcing phishing-resistant multi-factor authentication for all user and administrator accounts whenever possible.

Recommended read:
References :
  • DataBreaches.Net: Sergiu Gatlan reports: On Wednesday, CISA warned of heightened breach risks after the compromise of legacy Oracle Cloud servers earlier this year and highlighted the significant threat to enterprise networks. CISA said, “the nature of the reported activity presents potential risk to organizations and individuals, particularly where credential material may be exposed, reused across separate,...
  • BleepingComputer: On Wednesday, CISA warned of heightened breach risks after the compromise of legacy Oracle Cloud servers earlier this year and highlighted the significant threat to enterprise networks.
  • www.cybersecuritydive.com: The agency is asking organizations to come forward if they detect suspicious activity or other evidence of a compromise.
  • MSSP feed for Latest: Legacy Oracle cloud breach poses credential exposure risk
  • hackread.com: Following reports of unauthorized access to a legacy Oracle cloud environment, CISA warns of potential credential compromise leading…
  • www.scworld.com: Secure legacy Oracle cloud credentials amid leak reports, CISA warns
  • www.itpro.com: CISA issues warning in wake of Oracle cloud credentials leak
  • securityonline.info: CISA Warns of Credential Risks Tied to Oracle Cloud Breach
  • The Register - Security: Oracle hopes talk of cloud data theft dies off. CISA just resurrected it for Easter
  • securityonline.info: CISA Warns of Credential Risks Tied to Oracle Cloud Breach
  • The DefendOps Diaries: Understanding the Oracle Cloud Breach: CISA's Guidance and Recommendations
  • ciso2ciso.com: CISA Urges Action on Potential Oracle Cloud Credential Compromise
  • ciso2ciso.com: Following reports of unauthorized access to a legacy Oracle cloud environment, CISA warns of potential credential compromise leading to phishing, network breaches, and data theft.
Dissent@DataBreaches.Net //

Oracle Confirms Cloud Data Breach Impacting Customers - Oracle has confirmed a cloud data breach affecting over 140,000 Oracle Cloud tenants, involving PII, corporate and financial data from two obsolete servers, sparking criticism over transparency and communication strategy.
Oracle has confirmed a cloud data breach, issuing notifications to customers about a cybersecurity incident. The confirmation follows claims by a threat actor alleging possession of millions of data lines related to over 140,000 Oracle Cloud tenants, including sensitive Personally Identifiable Information (PII), along with corporate and financial data. The company states the breach involved what it described as "two obsolete servers," and maintains that its Oracle Cloud Infrastructure (OCI) was not compromised, and no OCI customer data was viewed or stolen. However, this incident has brought into question Oracle's communication strategy and the accuracy of its disclosures.

The company's initial response has sparked debate and criticism, with cybersecurity experts and customers expressing concern over potential inconsistencies in Oracle's narrative. While Oracle claims the issue stemmed from "obsolete servers," independent analyses and customer confirmations suggest that customer data may have been compromised, contradicting the company's initial denial of an OCI breach. The discrepancy between Oracle's statements and the emerging evidence has raised questions about transparency and the potential use of carefully chosen terminology to minimize the perceived impact of the incident.

The communication strategy has drawn specific criticism regarding Oracle's distinction between "Oracle Cloud" and "Oracle Cloud Classic." Experts, like Kevin Beaumont, have pointed out that this distinction allows Oracle to deny a breach of "Oracle Cloud" while acknowledging issues with "Oracle Classic," which is still part of Oracle's cloud services. This approach raises concerns about potential wordplay and its effects on customer trust and Oracle's reputation. The incident highlights the challenges companies face in maintaining transparency and trust during cybersecurity incidents, especially when sensitive customer data is at risk.

Recommended read:
References :
  • DataBreaches.Net: Oracle’s statement to customers is still raising questions about its disclosure and transparency
  • The DefendOps Diaries: Explore Oracle's security incident, its communication strategy, and the implications for customer trust and industry standards.
  • securityaffairs.com: Oracle confirms a cloud data breach, quietly informing customers while downplaying the impact of the security breach.
  • BleepingComputer: Oracle finally confirmed in email notifications sent to customers that a hacker stole and leaked credentials that were stolen from what it described as "two obsolete servers."
  • The Register - Security: Oracle says its cloud was in fact compromised
  • securityonline.info: Oracle Data Breach: Authenticity Confirmed Despite Denial
  • Cyber Security News: CyberPress on Oracle Confirms Breach
  • cyberinsider.com: Oracle Sends “Not a Breach†Notices to Customers Following Data Exposure
  • phishingtackle.com: Oracle Confirms Cloud Data Breach, Privately Alerts Affected Customers
  • Techzine Global: Oracle confirms data breach via outdated servers, denies cloud breach
  • The Register - Security: The Reg translates the letter in which Oracle kinda-sorta tells customers it was pwned
  • Phishing Tackle: Oracle Confirms Cloud Data Breach, Privately Alerts Affected Customers
  • securityonline.info: At the end of March, a hacker claimed to have breached Oracle’s cloud infrastructure, allegedly exfiltrating approximately six million records. These reportedly included sensitive materials such as Oracle Cloud customer security keys, encrypted credentials, and LDAP authentication data. The threat actor even published a sample of the data as proof. Oracle promptly denied the breach, […] The post appeared first on .
  • CyberInsider: Cybersecurity Insiders article about Oracle's sends the data exposure notices to customers
  • www.csoonline.com: Oracle admits breach of ‘obsolete servers,’ denies main cloud platform affected
Aman Mishra@gbhackers.com //

JavaGhost Exploits AWS Permissions for Phishing Campaigns - JavaGhost exploits misconfigured Amazon Web Services (AWS) environments for phishing campaigns, using victims' SES and WorkMail to bypass email protections and evade detection.
A cyber threat group known as JavaGhost has been exploiting misconfigured Amazon Web Services (AWS) Identity and Access Management (IAM) permissions to conduct sophisticated phishing campaigns. Palo Alto Networks Unit 42 is tracking this group, known as TGR-UNK-0011, which overlaps with JavaGhost. Since 2022, JavaGhost pivoted from website defacement to cloud-based phishing attacks, targeting unsuspecting targets for financial gain.

The group exploits leaked long-term AWS access keys to gain initial access, then misuses AWS services like Simple Email Service (SES) and WorkMail to send phishing emails, bypassing typical email protections. They create new SMTP credentials and IAM users, some for active attacks and others for long-term persistence, even leaving the same calling card in the middle of their activities.

JavaGhost's tactics include generating temporary credentials and utilizing advanced evasion techniques to obfuscate their identities in CloudTrail logs, a tactic historically used by Scattered Spider. The attackers create IAM roles with trust policies, allowing access from attacker-controlled AWS accounts, and attempt to enable all AWS regions to potentially evade security controls. These activities leave detectable events in CloudTrail logs, providing opportunities for threat detection and response for vigilant organizations.

Recommended read:
References :
  • The Hacker News: Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail
  • gbhackers.com: JavaGhost: Exploiting Amazon IAM Permissions for Phishing Attacks
  • Talkback Resources: JavaGhost: Exploiting Amazon IAM Permissions for Phishing Attacks
  • Talkback Resources: Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail [cloud]
  • Cyber Security News: JavaGhost Exploits Amazon IAM Permissions for Phishing Attacks
@www.networkworld.com //

Versa Networks Launches Sovereign SASE Platform - Versa Networks launches sovereign SASE, offering enterprises control over network security within their own environments, challenging the cloud-only model.
Versa Networks has launched its Sovereign SASE platform, presenting a new option for enterprises and service providers seeking greater control over their network security. This solution allows organizations to deploy a SASE platform within their own on-premises or private cloud environments, moving away from the traditional cloud-only security model. Versa's Sovereign SASE is designed to run entirely on customer-controlled infrastructure, offering a "do-it-yourself" model for customized networking and security services.

Increased privacy and control, reduced risk of service disruption, and eased regulatory compliance are key benefits. The platform enables organizations to build and manage their SASE environment on their own infrastructure, ensuring greater autonomy and data protection. By eliminating reliance on third-party SaaS platforms, Versa Sovereign SASE reduces operational risks and costs tied to unplanned outages, strengthening business continuity. The "air-gapped" infrastructure also simplifies meeting strict requirements for regulatory compliance, data residency, and security.

Recommended read:
References :
  • @VMblog: Versa Redefines SASE with Industry-First Sovereign SASE for Enterprises and Service Providers
  • Help Net Security: Versa Sovereign SASE enables organizations to create self-protecting networks
  • www.networkworld.com: Versa Networks launches sovereign SASE, challenging cloud-only security model
  • www.helpnetsecurity.com: Versa releases Versa Sovereign SASE, allowing enterprises, governments, and service providers to deploy customized networking and security services directly from their own infrastructure in a “do-it-yourself†model.
@csoonline.com //

whoAMI Attack Exploits AWS AMI Name Confusion - A new "whoAMI" attack exploits name confusion in Amazon Machine Images (AMIs) to achieve remote code execution within Amazon Web Services (AWS) accounts, allowing attackers to publish a malicious AMI with a matching name and gain access.
Cybersecurity researchers have uncovered a new "whoAMI" attack that exploits name confusion in Amazon Machine Images (AMIs) to achieve remote code execution within Amazon Web Services (AWS) accounts. The attack allows anyone publishing an AMI with a specific, crafted name to potentially gain access and execute malicious code. The vulnerability stems from misconfigured software that can be tricked into using a malicious AMI instead of a legitimate one when creating Elastic Compute Cloud (EC2) instances.

Researchers found that the attack vector requires specific conditions to be met when retrieving AMI IDs through the API, including the use of the name filter and a failure to specify the owner. An attacker can create a malicious AMI with a matching name, leading to the creation of an EC2 instance using the attacker's doppelgänger AMI. Amazon addressed the issue following a responsible disclosure in September 2024, introducing new security controls and HashiCorp Terraform implemented warnings to prevent misuse of the API.

Recommended read:
References :
  • Talkback Resources: Cybersecurity researchers disclosed the whoAMI attack, enabling attackers to execute code within AWS accounts by tricking misconfigured software into using a malicious AMI with a specific name, prompting AWS to introduce new security controls and HashiCorp Terraform to implement warnings.
  • The Hacker News: New “whoAMIâ€� Attack Exploits AWS AMI Name Confusion for Remote Code Execution
  • www.bleepingcomputer.com: Security researchers discovered a name confusion attack that allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name.
  • www.csoonline.com: whoAMI name confusion attacks can expose AWS accounts to malicious code execution
  • BleepingComputer: Security researchers discovered a name confusion attack that allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name.
  • aws.amazon.com: AWS blog post on the fix.
  • securitylabs.datadoghq.com: Datadog Security Labs report detailing the whoAMI attack.
  • securityaffairs.com: whoAMI attack could allow remote code execution within AWS account
  • Security Affairs: whoAMI attack could allow remote code execution within AWS account
@www.helpnetsecurity.com //

Palo Alto Networks Unifies Cloud Security with Cortex Cloud - Palo Alto Networks has introduced Cortex Cloud, integrating its cloud detection and response (CDR) and cloud-native application protection platform (CNAPP) capabilities onto the unified Cortex platform using AI and automation to provide real-time cloud security.
Palo Alto Networks has unveiled Cortex Cloud, a unified platform integrating its cloud detection and response (CDR) and cloud-native application protection platform (CNAPP) capabilities. Cortex Cloud merges Prisma Cloud with Cortex CDR to deliver real-time cloud security, addressing the growing risks in cloud environments. The platform uses AI-driven insights to reduce risks and prevent threats, providing continuous protection from code to cloud to SOC.

Cortex Cloud aims to solve the disconnect between cloud and enterprise security teams, which often operate in silos. With Cortex Cloud, security teams gain a context-driven defense that delivers real-time cloud security. Palo Alto Networks will include CNAPP at no additional cost for every Cortex Cloud Runtime Security customer.

Recommended read:
References :
  • www.helpnetsecurity.com: Palo Alto Networks Cortex Cloud applies AI-driven insights to reduce risk and prevent threats
  • www.paloaltonetworks.com: Introducing Cortex Cloud — The Future of Real-Time Cloud Security
  • www.prnewswire.com: "we're including CNAPP at no additional cost for every Cortex Cloud Runtime Security customer."
  • securityboulevard.com: Palo Alto Networks today launched its Cortex Cloud platform to integrate the company’s cloud-native application protection platform (CNAPP) known as Prisma Cloud into a platform that provides a wider range of cloud security capabilities.

Posts

Blogs

Research Tools