Key Vulnerabilities in Cloud Services

This EY incident underscores a truth we often overlook: the most common cloud vulnerability isn't a zero-day exploit; it's a configuration oversight. A single misstep in cloud storage permissions turned a database backup into a public-facing risk. These files often hold the "keys to the kingdom" ie. credentials, API keys, and tokens that can lead to a much wider breach. How do we protect ourselves against these costly mistakes? Suggestions 1. Continuous Monitoring: Implement a CSPM for 24/7 configuration scanning. CSPM is Cloud Security Posture Management -> a type of automated security tool that continuously monitors cloud environments for misconfigurations, vulnerabilities, and compliance violations. It provides visibility, threat detection, and remediation workflows across multi-cloud and hybrid cloud setups, including SaaS, PaaS, and IaaS services 2. Least Privilege Access: Default to private. Grant access sparingly. 3. Data Encryption: For data at rest and in transit. 4. Automated Alerts: The moment something becomes public, you should know. 5. Regular Audits: Regularly review access controls and rotate secrets.

What’s the worst cloud security mistake you’ve seen? I’ll go first. A fintech startup I consulted for had exposed AWS S3 buckets, publicly accessible. 𝐀𝐧𝐝 𝐠𝐮𝐞𝐬𝐬 𝐰𝐡𝐚𝐭? ☠️ It had customer transaction data. ☠️ Nobody noticed until a security researcher flagged it on Twitter. ☠️ By then, petabytes of sensitive data had already been scraped. 𝐓𝐡𝐞 𝐝𝐚𝐦𝐚𝐠𝐞? Regulatory fines, customer trust shattered, and a PR nightmare. 𝐓𝐡𝐞 𝐰𝐨𝐫𝐬𝐭 𝐩𝐚𝐫𝐭? ☠️ They weren’t even aware of who had access to what. ☠️☠️ Their cloud environment was a wild west of permissions, IAM roles stacked on IAM roles, and nobody dared to clean up. 𝐇𝐞𝐫𝐞’𝐬 𝐚 𝐩𝐚𝐢𝐧𝐟𝐮𝐥 𝐫𝐞𝐚𝐥𝐢𝐭𝐲: 🚨 80% of cloud breaches happen due to misconfigurations. 🚨 90% of companies over-provision permissions. 🚨 70% of cloud workloads have at least one high-risk vulnerability. ↳ I’ve seen massive enterprises running root-level access on production. ↳ I’ve seen API keys hardcoded in GitHub repos. ↳ I’ve seen companies assume “our cloud provider takes care of security”, until their data is sold on the dark web. 𝐂𝐥𝐨𝐮𝐝 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐢𝐬𝐧’𝐭 𝐚 𝐬𝐞𝐭-𝐚𝐧𝐝-𝐟𝐨𝐫𝐠𝐞𝐭 𝐭𝐡𝐢𝐧𝐠. 𝐈𝐭’𝐬 𝐲𝐨𝐮𝐫 𝐫𝐞𝐬𝐩𝐨𝐧𝐬𝐢𝐛𝐢𝐥𝐢𝐭𝐲. ✅ Do you have a clean IAM policy? ✅ Are your secrets vaulted, not hardcoded? ✅ Are you scanning for misconfigurations weekly? ✅ Are your access logs even being monitored? Security is boring, until it’s catastrophic. What’s the worst cloud security mistake you’ve seen? Drop your horror stories below. Let’s make sure others don’t repeat them.

☁️ Every major cloud outage is a reminder that resilience isn’t something you can enable with a checkbox, it’s something you need to explicitly design, test, and adapt as dependencies evolve. A recent “thermal event” in Microsoft Azure’s West Europe region, caused by a cooling system fault triggered hardware shutdowns, took storage units offline, and resulted in broader service disruption across VMs, databases, and Azure Kubernetes Service. Even impacting dependent services in other Availability Zones. Serving as a reminder that zone-redundancy alone isn’t going to be enough when underlying storage fabrics or control-plane dependencies span across availability zones. If your replication strategy still relies on locally-redundant storage (LRS) within a single zone, or even multiple zones in the same region, you're exposed to environmental failures like this. As organizations migrate more critical workloads to the cloud, now is the moment to revisit resilient architecture. Invest in services that span multiple regions to avoid this kind of exposure, and test failover under realistic conditions, so that teams can build muscle-memory and to expose unexpected dependencies. https://lnkd.in/eUsDQ-gH https://lnkd.in/eBz8J3kD

Adversaries are watching. Are you ready? Azure OpenAI from an Attacker's Perspective. As defenders strengthen their cloud defenses, adversaries analyze the same architectures to find gaps to exploit. Let’s take a quick look at Azure OpenAI Service—a goldmine for both innovation and potential missteps. What Stands Out for an Attacker? 1️⃣ Data Residency & Isolation: While data remains customer controlled and maybe double encrypted, attackers might target storage misconfigurations in the Assistants / Batch services, where prompts and completions reside temporarily. Weak RBAC configurations could expose sensitive files and logs stored in these areas. 2️⃣ Sandboxed Code Interpreter: The isolated environment ensures secure code execution, but attackers might attempt to exploit vulnerabilities in sandbox boundaries or inject malicious payloads to gain access to sensitive data during runtime. 3️⃣ Asynchronous Abuse Monitoring: It is a critical component for detecting misuse but also a potential data-retention bottleneck. Attackers may target monitoring APIs or exploit the X day retention to obscure their tracks or hijack historical prompts for sensitive insights. 4️⃣ Fine Tuning Workflows: Customers love the exclusivity of fine-tuned models, but attackers could leverage phishing attacks to hijack API keys or access fine-tuning data that resides in storage. Compromising a fine-tuned model could reveal proprietary insights or customer IP. 5️⃣ Batch API Vulnerabilities: With batch processing in preview, this could be a point of weakness for bulk data manipulation attacks or injection-based techniques. Monitoring batch jobs for anomalies is crucial. As enterprises adopt Azure OpenAI Service to supercharge their operations, it is critical to stay ahead of evolving attacker techniques. Every layer of this architecture—from encrypted storage to sandboxed environments—presents opportunities and challenges. For defenders, understanding these risks is the first step in hardening the fortress. #security #artificialintelligence #cloudsecurity

From a simple SMS to exposing patient's invoices - Cloud Security in hospitals. During a visit to a hospital. After my appointment, I received a physical invoice, and an e-bill was sent to my phone via a system-generated SMS. The SMS included a link that, when clicked, downloaded my bill directly to my device. I started to investigate how it works and was shocked by the results! The link in the SMS was a long URL, seemingly auto-generated by the SMS provider. It redirected to an AWS S3 bucket link managed by the hospital. However, the file name was a simple, consecutive 6-digit number followed by ".pdf"—no signature token, no authentication required. This meant that anyone with the knowledge could easily manipulate the URL to download other patients' bills, completely bypassing authentication. A serious breach of privacy! Key Takeaways: - Always use hashed filenames that aren’t predictable to prevent unauthorized access. - Implement file signatures and ensure they match only the files intended for specific users. - Secure your cloud policies and IAM settings to restrict access to sensitive data. #Cybersecurity #Infosec #DataPrivacy #cloudsecurity

Last week, a simple vulnerability in DeepSeek led to exposure of over 1 million chat records! An attacker could have easily exploited this to gain full database control and escalate privileges. I said 'could have'—because this flaw was caught by Wiz Research before any known exploitation. Here’s how the researcher (acting as an “attacker” in this case) uncovered it: 𝗔𝘁𝘁𝗮𝗰𝗸 𝗙𝗹𝗼𝘄: 1) Attacker starts by mapping DeepSeek’s public domains > discovers 30 internet facing sub domains. 2) Attacker now starts scanning for non-standard open ports on these domains > Bingo! Detects 2 unusual open ports (8123 & 9000) on  hxxp[://]oauth2callback[.]deepseek[.]com 3) Attacker investigates further > Identifies these ports lead to database access without any authentication! > The database is ClickHouse commonly used for real time data processing. 4) Attacker simply appends "/path" to the URL (this is the standard path that allows direct execution of SQL queries via browser with ClickHouse) > Returns a full list of accessible datasets > "log_stream" table contained over 1 million log entries that had Chat history, API keys etc (Pls see image I attached for easy understanding. Credits to Wiz) 𝗔 𝗙𝗲𝘄 𝗧𝗵𝗼𝘂𝗴𝗵𝘁𝘀: 1) If you think about it, a simple misconfiguration on a single cloud asset could easily lead to a massive breach of your entire company's data! All an attacker needs to do is find that one simple mistake. That’s the asymmetry in cybersecurity. 2) Cloud misconfigurations are everywhere. Why? A few reasons: --> A developer assumes cloud services have secure config by default. But several services require manual config post creation to restrict access. --> A developer enables broad access during testing as a quick workaround but forgets to remove it. The same config goes into production. --> A developer creates cloud resources without proper IT and Security team's oversight (aka Shadow IT problem) So, yes, this problem is dependent on solving many other systemic issues such as security hygiene, default access control policies, gating testing to production changes and so on. 3) But consider this for a second: It is your database. It is you who enabled the unauthenticated access. But someone else found out about it before you did. How? Because they were ready for it. 4) If an attacker can continuously scan your IPs, sub domains and identify accidentally exposed databases, you should be able to do that too. In fact, with the level of control and visibility you have on your assets, you should be able to do that before they do. 5) Build the security capability to automatically identify your company's public assets, scan them for ‘anonymous access’ and respond rapidly for the identified cases. Beat attackers at their own game. If you enjoyed this or learned something, follow me at Rohit Tamma for more in future! #cybersecurity #applicationsecurity #threatdetection #informationsecurity #infosec #cloudsecurity

🔍 From CVEs to Exposure Intelligence -- A Technical Model for Risk-Based Vulnerability Management The traditional CVSS-based approach is no match for today’s attack surfaces. A modern exposure management strategy must integrate telemetry, threat intel, and control-plane signals to defend against adversaries who chain misconfigs, stale privileges, and unpatched services. Here’s a breakdown of key InfoSec risks—and technically grounded remediations: 🔴 Risk #1: CVE overload with no context-aware prioritization 🟢 Remediation: - Implement exploitability filters using threat intelligence feeds (e.g., Exploit-DB, CISA KEV, Mandiant TI). - Use EPSS (Exploit Prediction Scoring System) and MITRE ATT&CK mapping for attacker-centric triage. - Weight vulns by asset criticality using tagging (e.g., public-facing, prod, regulated). 🔴 Risk #2: Fragmented visibility across hybrid/cloud environments 🟢 Remediation: - Aggregate telemetry from EDR (e.g., osquery, Sysmon), CSPM tools, and IAM logs. - Build an exposure graph to visualize relationships between identities, misconfigs, and data stores. - Continuously scan for unknown/rogue assets across on-prem and cloud. 🔴 Risk #3: Configuration drift and unmonitored assets 🟢 Remediation: - Use IaC drift detection (e.g., driftctl, AWS Config) to catch unintended changes. - Enforce compliance-as-code using CIS/NIST baselines with automated remediation pipelines. - Align infrastructure with source-of-truth inventories (CMDB, IaC repos). 🔴 Risk #4: Disconnected workflows between security and IT/DevOps 🟢 Remediation: - Shift security left using tools like Trivy, Checkov, or GitHub Actions in CI/CD. - Pipe exposure insights directly into ITSM platforms (e.g., Jira, ServiceNow). - Use policy-as-code (OPA, Rego) to enforce guardrails without manual approvals. 🔴 Risk #5: Alert noise with no correlation to real risk 🟢 Remediation: - Enrich findings with identity posture (e.g., dormant admin accounts), open ports, and data classification. - Use attack path analysis to correlate and score multi-step exposures. - Prioritize remediation based on blast radius and business impact, not just vuln count. 📌 Exposure management isn’t about more alerts—it’s about graph-driven visibility, risk-aligned prioritization, and automation-first remediation. This isn’t just a shift in tooling—it’s a shift in mindset. The future of InfoSec lies in exposure-centric, not alert-centric defense. 📖 Learn more: 👉 https://lnkd.in/gPJtATGu #InfoSec #CyberSecurity #ExposureManagement #SecurityEngineering #ThreatModeling #CloudSecurity #AttackSurfaceReduction #RiskBasedSecurity #DevSecOps #SecurityArchitecture #BlueTeamOps #MITREATTACK

Dear Business & IT Audit Leaders, Cloud environments are not inherently secure. They are only as resilient as the questions we ask. As a cybersecurity audit leader, I don’t begin any cloud assessment without interrogating the architecture through 8 critical dimensions. These aren’t just technical checks, they’re strategic filters that reveal business risk, regulatory exposure, and operational blind spots. Whether you're migrating, auditing, or optimizing your cloud stack, these questions reveal the real posture of your environment. They cut through vendor promises and dashboards to expose what matters: risk, resilience, and regulatory readiness. Here’s the framework I use to guide CISOs, CTOs, and audit teams: 📌 Business Purpose & Data Sensitivity Every cloud asset must be mapped to its business function and data classification. If you don’t understand the value and risk of what’s hosted, you’re auditing in the dark. 📌 Cloud Service Model & Deployment Type IaaS, PaaS, SaaS, and Public, Private, Hybrid, each shift the shared responsibility model. Misidentifying this leads to control gaps and audit failures. 📌 Identity, Access & Privileged Account Management IAM policies, MFA enforcement, and least privilege aren’t optional, they’re the backbone of cloud security. I assess not just design, but operational discipline. 📌 Encryption at Rest & In Transit I validate cryptographic standards, key lifecycle management, and segregation of duties. Weak encryption is a silent breach waiting to happen. 📌 Network & Perimeter Defense Firewalls, segmentation, and intrusion prevention must be tested for effectiveness, not just existence. I look for real-world resilience, not checkbox compliance. 📌 Vulnerability Management & Threat Detection Scanning cadence, patch velocity, and incident response maturity determine whether threats are contained or compounded. I benchmark against threat intelligence and business risk. 📌 Business Continuity & Disaster Recovery Validation RTO/RPO metrics are meaningless without tested recovery capabilities. I simulate failure scenarios to assess readiness under pressure. 📌 Regulatory Compliance & Governance Frameworks From HIPAA to NIST to ISO 27001, I verify not just policy alignment but operational execution. Governance must be embedded, not just documented. These 8 dimensions form the backbone of my cloud audit methodology. They help organizations move from reactive security to proactive resilience. If you're leading cloud transformation, audit readiness, or cybersecurity strategy, this is where your assessment should begin. Let’s discuss: Which of these questions do you think is most overlooked in your organization? #CloudSecurity #CyberAudit #ITAudit #AIaudit #RiskManagement #CloudSecurityRisk #CyVerge #CloudSecurityAudit #Cyberverge #Governance #CloudResilience #CloudGovernance

VMware Hyperjacking Vulnerabilities: A Critical Threat to Virtual Environments Introduction: A Major Security Risk in Virtualized Systems Three newly discovered critical vulnerabilities in VMware’s virtual machine (VM) products have raised serious security concerns. These flaws enable hyperjacking attacks, where a hacker who compromises a single VM can take control of the hypervisor, gaining access to all other VMs on the system. Given VMware’s widespread use in enterprise, government, and cloud environments, the risks posed by these vulnerabilities are severe. Key Details: How Hyperjacking Works • Exploiting Virtual Machine Escape: • Virtual machines (VMs) typically operate in isolated environments to protect customer data and networks. • A hypervisor manages these VMs, ensuring they remain separate from one another. • The discovered vulnerabilities allow an attacker to break out of an isolated VM and seize control of the hypervisor, giving them full access to all VMs on that host. • Why This Attack Is So Dangerous: • Once the hypervisor is compromised, the attacker can access or manipulate all customer data stored in connected VMs. • Multi-tenant cloud environments (where multiple organizations share infrastructure) are especially vulnerable. • The breach eliminates traditional security boundaries, allowing attackers to move laterally across networks. • Security Expert Warning: • Researcher Kevin Beaumont emphasized that once a hypervisor is compromised, “all bets are off”, meaning traditional security protections become ineffective. • A successful attack could provide hackers with full administrative control over an entire virtualized infrastructure. Why It Matters: The Broader Implications • Enterprise and Cloud Security at Risk: Businesses, government agencies, and cloud service providers relying on VMware-based virtualization could see catastrophic breaches. • Potential for Espionage and Ransomware Attacks: Threat actors could steal sensitive data, install persistent backdoors, or deploy ransomware across an organization’s entire virtual infrastructure. • Urgent Need for Patching and Mitigation: Organizations using VMware virtual machines should immediately apply patches and review security controls to limit the blast radius of a potential breach. With virtualization technology forming the backbone of modern IT infrastructure, these VMware vulnerabilities highlight the growing risks in cloud and enterprise security. As hyperjacking attacks become more sophisticated, robust defenses, rapid patching, and proactive threat detection are essential to mitigating the threat.

Security researchers from Sysdig recently discovered that hackers are using a novel method of exploiting cloud computing accounts by deploying virtual machines to participate in a blockchain-based content delivery service, circumventing traditional restrictions on cryptocurrency mining based on CPU and RAM usage by focusing on storage space and bandwidth. Researchers discovered an attack campaign where 6,000 micro instances were spawned across various AWS regions from a compromised account to engage in the Meson Network, gaining initial access to servers through known vulnerabilities in the Laravel PHP framework and WordPress misconfigurations. Detection methods advised by researchers include monitoring traffic spikes, storage usage, outbound connections, and anomalous AWS activity. This finding underscores the evolving tactics of hackers seeking to monetize compromised systems—reminiscent of previous incidents like proxyjacking reported by Akamai researchers. #Cybersecurity #CyberCrime #CloudSecurity #Blockchain