CyberSecurity news
FlagThis - #cloudsecurity
|
Mona Thaker@Microsoft Security Blog
//
References:
Microsoft Security Blog
, Wiz Blog | RSS feed
,
Microsoft and Wiz have both been recognized as Leaders in the 2025 IDC MarketScape for Cloud-Native Application Protection Platforms (CNAPP). This recognition underscores the growing importance of CNAPP solutions as organizations grapple with securing increasingly complex cloud environments. The IDC MarketScape assesses vendors based on their capabilities and strategic vision, providing guidance for security leaders seeking to replace fragmented point tools with a unified approach to cloud security. Both Microsoft and Wiz have demonstrated a strong commitment to innovation and customer success in cloud security.
The IDC MarketScape emphasizes that selecting a CNAPP vendor involves more than just consolidating tools. It highlights the importance of seamless integration with existing security infrastructure and the ability to enhance the overall security posture. Key considerations include robust monitoring and reporting on cloud security posture, runtime, and application security. Microsoft's recognition stems from its comprehensive, AI-powered, and integrated security solutions for multicloud environments. Wiz is also committed to customer success across cloud security. Microsoft's Defender for Cloud was specifically lauded for providing visibility into cloud attacks across the entire environment, from endpoints to exposed identities. The platform's holistic approach examines attack vectors both inside and outside the cloud, integrating pre-breach posture graphs with live incidents for exposure risk assessment. Additionally, Microsoft was recognized for its detailed threat analytics, which combines information from various sources to create comprehensive attack paths and facilitate threat prioritization. Customers also highlighted the strong partnership with Microsoft, noting dedicated support and consulting for optimal product use. Recommended read:
References :
CISA@Alerts
//
References:
www.cybersecuritydive.com
, Tenable Blog
,
Tenable's 2025 Cloud Security Risk Report has revealed a concerning trend: a significant percentage of public cloud storage resources are exposing sensitive data. The study found that nearly one in ten publicly accessible cloud storage buckets contain sensitive information, including Personally Identifiable Information (PII), Intellectual Property (IP), Payment Card Industry (PCI) data, and Protected Health Information (PHI). Worryingly, 97% of this exposed data is classified as restricted or confidential. This highlights the ongoing challenge organizations face in properly securing their cloud environments despite increased awareness of cloud security risks.
Researchers found that misconfigured access settings and overly permissive policies are major contributing factors to these exposures. For instance, more than half of organizations (54%) store at least one secret directly in Amazon Web Services (AWS) Elastic Container Service (ECS) task definitions. Similarly, a significant portion of Google Cloud Platform (GCP) Cloud Run and Microsoft Azure Logic Apps workflows are also exposed. Tenable emphasizes the need for automated data discovery and classification, elimination of public access by default, enterprise-grade secrets management, and identity-intelligent Cloud Security Posture Management (CSPM) to mitigate these risks. While the report highlights the risks from insecure cloud configurations, it also points to some positive developments. The number of organizations with "toxic cloud trilogies" – workloads that are publicly exposed, critically vulnerable, and highly privileged – has declined from 38% to 29% over the past year. However, this still represents a substantial risk. Tenable stresses that exposed secrets and sensitive data are systemic risks that must be eliminated to prevent data exfiltration and environment takeover, emphasizing that attackers often exploit public access, steal embedded secrets, or abuse overprivileged identities to compromise cloud environments. Recommended read:
References :
@Cloud Security Alliance
//
Amazon Web Services (AWS) is actively enhancing its security measures to empower customers with robust active defense capabilities. AWS utilizes internal active defense systems like MadPot, which are global honeypots, Mithra, a domain graph neural network, and Sonaris, which handles network mitigations. These systems are continuously improving to detect and help prevent attacks related to malware, software vulnerabilities, and AWS resource misconfigurations, benefiting customers automatically through the AWS network. AWS also employs strategies to identify, track, and disrupt threat infrastructure by analyzing network traffic logs, honeypot interactions, and malware samples.
CrowdStrike and AWS have joined forces to simplify security incident response for cloud environments. This collaboration includes launching a new managed service integrated directly into the AWS console, aiming to provide seamless security operations. The integration is designed to enable faster and easier incident response, allowing for more efficient handling of security threats and breaches within cloud infrastructures. This partnership seeks to address the growing need for streamlined security management in complex cloud environments. 1Password and AWS have formed a strategic alliance to enhance the security of AI and cloud environments for enterprises. This collaboration focuses on providing AI-era security tools to protect unmanaged devices and applications, addressing the "Access-Trust Gap." Contracts sold through AWS average four times larger than typical deals, with win rates exceeding 50 percent. 1Password, traditionally a consumer-focused password manager, has transformed into an enterprise security platform serving one-third of Fortune 100 companies, driven by the increasing demand for security tools capable of monitoring and controlling AI agents and unauthorized applications. Recommended read:
References :
TIGR Threat@Security Risk Advisors
//
Cisco has issued a critical security advisory regarding a vulnerability, CVE-2025-20286, in its Identity Services Engine (ISE) when deployed on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). This static credential flaw enables unauthenticated remote attackers to potentially access sensitive data, perform limited administrative actions, modify system configurations, or disrupt services. The vulnerability stems from improperly generated credentials during cloud deployments, resulting in multiple ISE deployments sharing the same static credentials, provided they are on the same software release and cloud platform.
Exploitation of CVE-2025-20286 could allow attackers to extract user credentials from a compromised Cisco ISE cloud deployment and utilize them to access other ISE instances in different cloud environments via unsecured ports. This could lead to unauthorized access to sensitive data, execution of limited administrative operations, changes to system configurations, or service disruptions. Cisco's Product Security Incident Response Team (PSIRT) has confirmed the existence of a proof-of-concept (PoC) exploit for this vulnerability, though there is no evidence of active exploitation in the wild. The vulnerability impacts specific versions of Cisco ISE, affecting versions 3.1, 3.2, 3.3, and 3.4 on AWS, and versions 3.2, 3.3, and 3.4 on Azure and OCI. Cisco emphasizes that this vulnerability only affects deployments where the Primary Administration node is hosted in the cloud; on-premises deployments are not affected. While there are no official workarounds, Cisco recommends restricting traffic to authorized administrators or using the "application reset-config ise" command to reset user passwords. The company has released security patches to address the flaw and urges users to update their systems promptly. Recommended read:
References :
@Wiz Blog | RSS feed
//
A widespread cryptojacking campaign is targeting misconfigured DevOps infrastructure, including Nomad, Consul, Docker, and Gitea, to illicitly mine Monero cryptocurrency. The attackers, tracked as JINX-0132, are exploiting known misconfigurations and vulnerabilities in publicly accessible web servers to deploy mining software. This campaign marks the first publicly documented instance of Nomad misconfigurations being exploited as an attack vector.
The JINX-0132 group uniquely avoids traditional identifiers, downloading tools directly from public GitHub repositories, including standard release versions of XMRig. This "living-off-open-source" approach complicates detection and clustering of their activities. They abuse insecure configurations and vulnerable software versions to hijack DevOps web servers. HashiCorp Nomad and Consul, Docker API, and Gitea servers are being targeted. Affected Nomad instances can manage hundreds of clients, representing significant compute power. To prevent such attacks, organizations are advised to review their configurations, activate security features like access control lists (ACLs) for Nomad, and properly configure Consul to prevent unauthorized access and resource utilization. Recommended read:
References :
CISA@All CISA Advisories
//
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding cyber threat activity targeting Commvault's SaaS Cloud Application (Metallic), which is hosted in Microsoft Azure. CISA believes this activity may be part of a broader campaign aimed at SaaS companies exploiting default configurations and elevated permissions in their cloud applications. This warning comes after Commvault disclosed an incident where a nation-state threat actor, later identified as Silk Typhoon, gained unauthorized access to their Azure environment in February 2025, exploiting a zero-day vulnerability (CVE-2025-3928) in the Commvault Web Server.
Commvault confirmed that the objective of the attackers was to acquire app credentials that could be used to breach companies' M365 environments. While Commvault has taken remedial actions, including rotating app credentials for M365, they emphasized that there has been no unauthorized access to customer backup data. The zero-day vulnerability, now added to CISA's Known Exploited Vulnerabilities Catalog, allows remote, authenticated attackers to create and execute web shells, posing a significant risk to affected systems. The vulnerability requires authenticated credentials in order to make use of it. To mitigate these threats, CISA recommends that users and administrators closely monitor Entra audit logs for unauthorized modifications or additions of credentials to service principals initiated by Commvault applications. They also advise reviewing Microsoft logs (Entra audit, Entra sign-in, unified audit logs) and conducting internal threat hunting. Additionally, CISA suggests implementing conditional access policies that limit authentication of application service principals to approved IP addresses within Commvault's allowlisted range, restricting access to Commvault management interfaces, and deploying a Web Application Firewall to detect and block path-traversal attempts and suspicious file uploads. For single tenant apps, implement a conditional access policy that limits authentication of an application service principal to an approved IP address that is listed within Commvault's allowlisted range of IP addresses. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A new cybersecurity threat, dubbed Hazy Hawk, has emerged, exploiting misconfigured DNS records to hijack abandoned cloud resources. Since at least December 2023, the threat actor has been using DNS CNAME hijacking to seize control of abandoned cloud endpoints belonging to reputable organizations, including Amazon S3 buckets and Microsoft Azure endpoints. By registering new cloud resources with the same names as the abandoned ones, Hazy Hawk redirects traffic to malicious sites, incorporating these hijacked domains into large-scale scam delivery and traffic distribution systems (TDS). This allows them to distribute scams, fake applications, and malware to unsuspecting users, leveraging the trust associated with the original domains.
Infoblox researchers first detected Hazy Hawk's activities in February 2025, when the group successfully took control of subdomains belonging to the U.S. Centers for Disease Control (CDC). Further investigation revealed that global government agencies, major universities, and international corporations such as Deloitte and PricewaterhouseCoopers have also been targeted. Hazy Hawk scans for domains with CNAME records pointing to abandoned cloud endpoints, determining this through passive DNS data validation. They then register a new cloud resource with the same name, causing the original domain's subdomain to resolve to the attacker's controlled resource. The attack chains often involve cloning legitimate websites to appear trustworthy, and URL obfuscation techniques are employed to hide malicious destinations. Hazy Hawk uses hijacked domains to host malicious URLs that redirect users to scams and malware. What makes Hazy Hawk's operations particularly concerning is the use of trusted domains to serve malicious content, enabling them to bypass detection and exploit the reputation of high-profile entities. Cybersecurity experts advise organizations to diligently monitor and manage their DNS records, ensuring that CNAME records pointing to abandoned cloud resources are removed to prevent unauthorized domain hijacking. Recommended read:
References :
@cyberpress.org
//
A new method has emerged for stealing Microsoft Entra refresh tokens using Beacon Command & Control (C2) frameworks. This novel technique leverages browser-based authorization flows and Windows API functions to bypass traditional detection mechanisms, allowing attackers to maintain persistent access to cloud resources, even on devices not joined to a domain. The exploit utilizes Beacon Object Files (BOFs) to extract Entra tokens from compromised endpoints, posing a significant risk to enterprise cloud environments. By exploiting the OAuth 2.0 authorization code flow with modifications for offensive operations, attackers can initiate a hidden browser session and scrape the authorization code from the browser window title using the GetWindowTextA Win32 API.
The attack method capitalizes on First-Party Client IDs (FOCI) such as Microsoft Teams, allowing access to multiple Microsoft services through "family refresh tokens." This provides operational advantages by blending token requests with legitimate user activity as they originate from the compromised host's IP address. Furthermore, it is compatible with Bring Your Own Device (BYOD) scenarios, where traditional Primary Refresh Token (PRT) extraction methods fail. After acquiring refresh tokens, attackers can conduct AzureAD reconnaissance via tools like ROADrecon. A separate but related flaw in Microsoft Entra ID's legacy login process has also been exploited to bypass MFA and Conditional Access, targeting admin accounts across various sectors including finance, healthcare, manufacturing, and technology. This vulnerability resides in the Basic Authentication Version 2 – Resource Owner Password Credential (BAV2ROPC), a legacy login method that allows authentication using simple usernames and passwords. The attacks, which occurred between March 18 and April 7, 2025, demonstrate the dangers of outdated authentication protocols in cloud environments, highlighting how attackers can circumvent modern protections by exploiting compatibility features within Entra ID. Recommended read:
References :
@securityonline.info
//
Microsoft has recently addressed several critical security vulnerabilities affecting its Azure cloud services and Microsoft Power Apps. The flaws, identified in Azure Automation, Azure Storage, Azure DevOps, and Microsoft Power Apps, highlighted the importance of proactive security measures within cloud-native development environments. One vulnerability, CVE-2025-29813, received the maximum Common Vulnerability Scoring System (CVSS) score of 10, indicating its severity.
The most critical vulnerability, found in Azure DevOps, allowed attackers with project-level access to escalate their privileges by exchanging short-term pipeline job tokens for long-term ones, potentially gaining extensive access within a project environment. Additional vulnerabilities included CVE-2025-29827 in Azure Automation, where improper authorization could enable a user to elevate privileges, CVE-2025-29972, an SSRF vulnerability in Azure Storage Resource Provider, and CVE-2025-47733 in Microsoft Power Apps, which allowed unauthorized information disclosure over a network through a Server-Side Request Forgery (SSRF). Despite the severity of these vulnerabilities, Microsoft has assured users that no action is required on their part. The company has already mitigated the flaws at the platform level, preventing potential exploitation. These patches underscore Microsoft's commitment to maintaining a secure cloud environment and highlight the ongoing need for robust security practices within cloud-native development. Recommended read:
References :
@www.microsoft.com
//
Microsoft Threat Intelligence is reporting a significant rise in cyberattacks targeting unsecured Kubernetes clusters. These attacks are primarily aimed at illicit cryptocurrency mining, with threat actors exploiting vulnerabilities such as unsecured workload identities and inactive accounts to gain unauthorized access to containerized environments. Data from Microsoft indicates that a concerning 51% of workload identities remained inactive in the past year, creating numerous potential entry points for attackers. The increasing adoption of containers-as-a-service among organizations has expanded the attack surface, making it more attractive for cybercriminals seeking to profit from stolen computing resources.
The dynamic nature of Kubernetes environments poses significant challenges for security teams. The rapid deployment and scaling of containers make it difficult to detect runtime anomalies and trace the origins of security breaches. Attackers often exploit misconfigured resources, outdated container images, inadequate network segmentation, and overly permissive access controls to infiltrate these environments. Observed attack vectors include compromising cloud credentials, deploying malicious container images, exploiting the Kubernetes API, conducting node-level and pod escape attacks, and injecting unauthorized network traffic. A recent example involved the use of the AzureChecker.exe tool to launch password spray attacks against cloud tenants, leading to the creation of cryptomining containers within compromised resource groups. To combat these evolving threats, Microsoft has been working with MITRE to update the Kubernetes threat matrix and the ATT&CK for Containers matrix. This provides a structured framework for organizations to systematically assess and mitigate attack surfaces in containerized environments. Security best practices highlighted include implementing immutable container policies, enforcing strong authentication, employing rigorous vulnerability management, using admission controllers, establishing image assurance policies, and continuously monitoring API activity. Furthermore, a Docker malware campaign has been discovered exploiting Teneo Web3 nodes by faking heartbeat signals to earn crypto, showcasing the diverse methods attackers are using to generate revenue from compromised container environments. Recommended read:
References :
David Jones@cybersecuritydive.com
//
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning on April 17, 2025, regarding increased breach risks following a potential compromise of legacy Oracle Cloud servers. This alert comes in response to public reporting of alleged threat activity targeting Oracle customers, though the scope and impact of the activity are currently unconfirmed. CISA's guidance urges organizations and individuals to take immediate steps to secure their IT environments amid claims of a large trove of customer credentials being compromised. The agency is also asking organizations to come forward if they detect suspicious activity or other evidence of a compromise.
CISA is particularly concerned about situations where credential material may be exposed, reused across separate and unaffiliated systems, or embedded into applications and tools. Embedded credential material, which can be hardcoded into scripts, applications, infrastructure templates, or automation tools, is especially difficult to detect and can enable long-term unauthorized access if exposed. The compromise of credentials like usernames, emails, passwords, authentication tokens, and encryption keys can pose a significant risk to enterprise environments. To mitigate these risks, CISA recommends organizations reset passwords for known affected users, especially those not federated through enterprise identity solutions. Additionally, they should review source code, infrastructure as code templates, automation scripts, and configuration files for hardcoded credentials, replacing them with secure authentication methods supported by centralized secret management. Monitoring authentication logs for anomalous activity, particularly using privileged, service, or federated identity accounts, is also crucial. Finally, CISA advises enforcing phishing-resistant multi-factor authentication for all user and administrator accounts whenever possible. Recommended read:
References :
Dissent@DataBreaches.Net
//
Oracle has confirmed a cloud data breach, issuing notifications to customers about a cybersecurity incident. The confirmation follows claims by a threat actor alleging possession of millions of data lines related to over 140,000 Oracle Cloud tenants, including sensitive Personally Identifiable Information (PII), along with corporate and financial data. The company states the breach involved what it described as "two obsolete servers," and maintains that its Oracle Cloud Infrastructure (OCI) was not compromised, and no OCI customer data was viewed or stolen. However, this incident has brought into question Oracle's communication strategy and the accuracy of its disclosures.
The company's initial response has sparked debate and criticism, with cybersecurity experts and customers expressing concern over potential inconsistencies in Oracle's narrative. While Oracle claims the issue stemmed from "obsolete servers," independent analyses and customer confirmations suggest that customer data may have been compromised, contradicting the company's initial denial of an OCI breach. The discrepancy between Oracle's statements and the emerging evidence has raised questions about transparency and the potential use of carefully chosen terminology to minimize the perceived impact of the incident. The communication strategy has drawn specific criticism regarding Oracle's distinction between "Oracle Cloud" and "Oracle Cloud Classic." Experts, like Kevin Beaumont, have pointed out that this distinction allows Oracle to deny a breach of "Oracle Cloud" while acknowledging issues with "Oracle Classic," which is still part of Oracle's cloud services. This approach raises concerns about potential wordplay and its effects on customer trust and Oracle's reputation. The incident highlights the challenges companies face in maintaining transparency and trust during cybersecurity incidents, especially when sensitive customer data is at risk. Recommended read:
References :
|