Key Vulnerabilities in Cloud Services

This EY incident underscores a truth we often overlook: the most common cloud vulnerability isn't a zero-day exploit; it's a configuration oversight. A single misstep in cloud storage permissions turned a database backup into a public-facing risk. These files often hold the "keys to the kingdom" ie. credentials, API keys, and tokens that can lead to a much wider breach. How do we protect ourselves against these costly mistakes? Suggestions 1. Continuous Monitoring: Implement a CSPM for 24/7 configuration scanning. CSPM is Cloud Security Posture Management -> a type of automated security tool that continuously monitors cloud environments for misconfigurations, vulnerabilities, and compliance violations. It provides visibility, threat detection, and remediation workflows across multi-cloud and hybrid cloud setups, including SaaS, PaaS, and IaaS services 2. Least Privilege Access: Default to private. Grant access sparingly. 3. Data Encryption: For data at rest and in transit. 4. Automated Alerts: The moment something becomes public, you should know. 5. Regular Audits: Regularly review access controls and rotate secrets.

What’s the worst cloud security mistake you’ve seen? I’ll go first. A fintech startup I consulted for had exposed AWS S3 buckets, publicly accessible. 𝐀𝐧𝐝 𝐠𝐮𝐞𝐬𝐬 𝐰𝐡𝐚𝐭? ☠️ It had customer transaction data. ☠️ Nobody noticed until a security researcher flagged it on Twitter. ☠️ By then, petabytes of sensitive data had already been scraped. 𝐓𝐡𝐞 𝐝𝐚𝐦𝐚𝐠𝐞? Regulatory fines, customer trust shattered, and a PR nightmare. 𝐓𝐡𝐞 𝐰𝐨𝐫𝐬𝐭 𝐩𝐚𝐫𝐭? ☠️ They weren’t even aware of who had access to what. ☠️☠️ Their cloud environment was a wild west of permissions, IAM roles stacked on IAM roles, and nobody dared to clean up. 𝐇𝐞𝐫𝐞’𝐬 𝐚 𝐩𝐚𝐢𝐧𝐟𝐮𝐥 𝐫𝐞𝐚𝐥𝐢𝐭𝐲: 🚨 80% of cloud breaches happen due to misconfigurations. 🚨 90% of companies over-provision permissions. 🚨 70% of cloud workloads have at least one high-risk vulnerability. ↳ I’ve seen massive enterprises running root-level access on production. ↳ I’ve seen API keys hardcoded in GitHub repos. ↳ I’ve seen companies assume “our cloud provider takes care of security”, until their data is sold on the dark web. 𝐂𝐥𝐨𝐮𝐝 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐢𝐬𝐧’𝐭 𝐚 𝐬𝐞𝐭-𝐚𝐧𝐝-𝐟𝐨𝐫𝐠𝐞𝐭 𝐭𝐡𝐢𝐧𝐠. 𝐈𝐭’𝐬 𝐲𝐨𝐮𝐫 𝐫𝐞𝐬𝐩𝐨𝐧𝐬𝐢𝐛𝐢𝐥𝐢𝐭𝐲. ✅ Do you have a clean IAM policy? ✅ Are your secrets vaulted, not hardcoded? ✅ Are you scanning for misconfigurations weekly? ✅ Are your access logs even being monitored? Security is boring, until it’s catastrophic. What’s the worst cloud security mistake you’ve seen? Drop your horror stories below. Let’s make sure others don’t repeat them.

Adversaries are watching. Are you ready? Azure OpenAI from an Attacker's Perspective. As defenders strengthen their cloud defenses, adversaries analyze the same architectures to find gaps to exploit. Let’s take a quick look at Azure OpenAI Service—a goldmine for both innovation and potential missteps. What Stands Out for an Attacker? 1️⃣ Data Residency & Isolation: While data remains customer controlled and maybe double encrypted, attackers might target storage misconfigurations in the Assistants / Batch services, where prompts and completions reside temporarily. Weak RBAC configurations could expose sensitive files and logs stored in these areas. 2️⃣ Sandboxed Code Interpreter: The isolated environment ensures secure code execution, but attackers might attempt to exploit vulnerabilities in sandbox boundaries or inject malicious payloads to gain access to sensitive data during runtime. 3️⃣ Asynchronous Abuse Monitoring: It is a critical component for detecting misuse but also a potential data-retention bottleneck. Attackers may target monitoring APIs or exploit the X day retention to obscure their tracks or hijack historical prompts for sensitive insights. 4️⃣ Fine Tuning Workflows: Customers love the exclusivity of fine-tuned models, but attackers could leverage phishing attacks to hijack API keys or access fine-tuning data that resides in storage. Compromising a fine-tuned model could reveal proprietary insights or customer IP. 5️⃣ Batch API Vulnerabilities: With batch processing in preview, this could be a point of weakness for bulk data manipulation attacks or injection-based techniques. Monitoring batch jobs for anomalies is crucial. As enterprises adopt Azure OpenAI Service to supercharge their operations, it is critical to stay ahead of evolving attacker techniques. Every layer of this architecture—from encrypted storage to sandboxed environments—presents opportunities and challenges. For defenders, understanding these risks is the first step in hardening the fortress. #security #artificialintelligence #cloudsecurity

From a simple SMS to exposing patient's invoices - Cloud Security in hospitals. During a visit to a hospital. After my appointment, I received a physical invoice, and an e-bill was sent to my phone via a system-generated SMS. The SMS included a link that, when clicked, downloaded my bill directly to my device. I started to investigate how it works and was shocked by the results! The link in the SMS was a long URL, seemingly auto-generated by the SMS provider. It redirected to an AWS S3 bucket link managed by the hospital. However, the file name was a simple, consecutive 6-digit number followed by ".pdf"—no signature token, no authentication required. This meant that anyone with the knowledge could easily manipulate the URL to download other patients' bills, completely bypassing authentication. A serious breach of privacy! Key Takeaways: - Always use hashed filenames that aren’t predictable to prevent unauthorized access. - Implement file signatures and ensure they match only the files intended for specific users. - Secure your cloud policies and IAM settings to restrict access to sensitive data. #Cybersecurity #Infosec #DataPrivacy #cloudsecurity

Last week, a simple vulnerability in DeepSeek led to exposure of over 1 million chat records! An attacker could have easily exploited this to gain full database control and escalate privileges. I said 'could have'—because this flaw was caught by Wiz Research before any known exploitation. Here’s how the researcher (acting as an “attacker” in this case) uncovered it: 𝗔𝘁𝘁𝗮𝗰𝗸 𝗙𝗹𝗼𝘄: 1) Attacker starts by mapping DeepSeek’s public domains > discovers 30 internet facing sub domains. 2) Attacker now starts scanning for non-standard open ports on these domains > Bingo! Detects 2 unusual open ports (8123 & 9000) on  hxxp[://]oauth2callback[.]deepseek[.]com 3) Attacker investigates further > Identifies these ports lead to database access without any authentication! > The database is ClickHouse commonly used for real time data processing. 4) Attacker simply appends "/path" to the URL (this is the standard path that allows direct execution of SQL queries via browser with ClickHouse) > Returns a full list of accessible datasets > "log_stream" table contained over 1 million log entries that had Chat history, API keys etc (Pls see image I attached for easy understanding. Credits to Wiz) 𝗔 𝗙𝗲𝘄 𝗧𝗵𝗼𝘂𝗴𝗵𝘁𝘀: 1) If you think about it, a simple misconfiguration on a single cloud asset could easily lead to a massive breach of your entire company's data! All an attacker needs to do is find that one simple mistake. That’s the asymmetry in cybersecurity. 2) Cloud misconfigurations are everywhere. Why? A few reasons: --> A developer assumes cloud services have secure config by default. But several services require manual config post creation to restrict access. --> A developer enables broad access during testing as a quick workaround but forgets to remove it. The same config goes into production. --> A developer creates cloud resources without proper IT and Security team's oversight (aka Shadow IT problem) So, yes, this problem is dependent on solving many other systemic issues such as security hygiene, default access control policies, gating testing to production changes and so on. 3) But consider this for a second: It is your database. It is you who enabled the unauthenticated access. But someone else found out about it before you did. How? Because they were ready for it. 4) If an attacker can continuously scan your IPs, sub domains and identify accidentally exposed databases, you should be able to do that too. In fact, with the level of control and visibility you have on your assets, you should be able to do that before they do. 5) Build the security capability to automatically identify your company's public assets, scan them for ‘anonymous access’ and respond rapidly for the identified cases. Beat attackers at their own game. If you enjoyed this or learned something, follow me at Rohit Tamma for more in future! #cybersecurity #applicationsecurity #threatdetection #informationsecurity #infosec #cloudsecurity

2024 State of Cloud Security Study Key Insights A great morning read from Datadog ‘analyzed security posture data from a sample of thousands of organizations that use AWS, Azure, or Google Cloud.’ ↗️ Long-lived credentials -> remain a security risk, with 60% of AWS IAM users having access keys older than one year. Unused credentials are widespread, increasing attack surfaces across all cloud providers (AWS, Azure, GCP). Recommendation -> Shift to temporary, time-bound credentials & centralized identity management solutions. ↗️ Public access blocks on cloud storage increasing AWS S3 & Azure Blob Storage are increasingly using public access blocks, with S3 seeing 79% of buckets proactively secured. Recommendation -> Enable account-level public access blocks to minimize risks of accidental data exposure. ↗️ IMDSv2 adoption growing AWS EC2 instances enforcing IMDSv2 have grown from 25% to 47%, yet many instances remain vulnerable. Recommendation -> Enforce IMDSv2 across all EC2 instances & use regional settings for secure defaults. ↗️ Managed Kubernetes clusters Many clusters (almost 50% on AWS) expose APIs publicly, with insecure default configurations risking attacks. Recommendation -> Use private networks, enforce audit logs, & limit permissions on Kubernetes worker nodes. ↗️ 3rd-Party integrations pose supply chain risk 10% of third-party IAM roles are overprivileged, creating risks of AWS account takeover. Recommendation ->Limit permissions, enforce External IDs, & remove unused third-party roles. ↗️ Most cloud incidents caused by compromised cloud credentials Cloud incidents are often triggered by compromised credentials, particularly in AWS, Azure, & Entra ID environments. Patterns of Attack + Compromised identities + Escalation via GetFederationToken + Service enumeration + Reselling access + Persistence techniques Microsoft 365 -> Credential stuffing, bypassing MFA, & malicious OAuth apps for email exfiltration. Google Cloud -> Attackers leverage VPNs & proxies for crypto mining and follow common attack patterns. Recommendations -> Implement strong identity controls & monitor API changes that attackers may exploit. ↗️ Many cloud workloads are excessively privileged or run in risky configurations Overprivileged cloud workloads expose organizations to significant risks, including full account compromise & data breaches. Recommendation ->Enforce least privilege principles on all workloads. Use non-default service accounts with tailored permissions in Google Cloud. Avoid running production workloads in AWS Organization management accounts. The study shows improved adoption of secure cloud configurations -> better awareness + enforcement of secure defaults. However, risky credentials & common misconfigurations in cloud infrastructure remain significant entry points for attackers. P.s. use the info to strengthen your org cloud security posture. Full study report in the comment ⬇️ #cloudsecurity #cloudsec #cybersecurity

What Happens When Cloud Misconfigurations Create a Toxic Cloud Triad? Are You at Risk? Presenting The  "Toxic Cloud Triad".  The triple combo of cloud resources that are publicly exposed, critically vulnerable and highly privileged is highly toxic. ⛔️ 𝗣𝘂𝗯𝗹𝗶𝗰𝗹𝘆 𝗲𝘅𝗽𝗼𝘀𝗲𝗱: Just waiting to be discovered online ⛔️ 𝗖𝗿𝗶𝘁𝗶𝗰𝗮𝗹𝗹𝘆 𝘃𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗹𝗲: Have issues ready to be hacked ⛔️ 𝗛𝗶𝗴𝗵𝗹𝘆 𝗽𝗿𝗶𝘃𝗶𝗹𝗲𝗴𝗲𝗱: Admin access to the cloud account When hackers find a cloud resource which has at least two of the three weaknesses they are able to not only hack into the cloud account but quickly steal, compromise, delete data and cause irreparable damage. This according to Tenable Cloud Risk Report of 2024. • 84% orgs have highly 𝗽𝗿𝗶𝘃𝗶𝗹𝗲𝗴𝗲𝗱 but 𝘂𝗻𝘂𝘀𝗲𝗱 IAM 𝗸𝗲𝘆𝘀 • 74% of orgs have 𝗽𝘂𝗯𝗹𝗶𝗰𝗹𝘆 exposed 𝘀𝘁𝗼𝗿𝗮𝗴𝗲 assets • 78% of orgs have 𝗽𝘂𝗯𝗹𝗶𝗰 Kubernetes 𝗔𝗣𝗜 servers • 38% of orgs have at least 1 such cloud resource The report also highlights an often neglected part of Kubernetes security. 𝗔𝗻𝗼𝗻𝘆𝗺𝗼𝘂𝘀 𝗮𝗰𝗰𝗲𝘀𝘀 𝘁𝗼 𝘁𝗵𝗲 𝗸𝘂𝗯𝗲𝗹𝗲𝘁 𝘀𝗲𝗿𝘃𝗲𝗿 This allows anyone, 𝘄𝗶𝘁𝗵𝗼𝘂𝘁 𝗮𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻, to interact with containers on the node, potentially leading to malicious activities like 𝗰𝗿𝘆𝗽𝘁𝗼𝗷𝗮𝗰𝗸𝗶𝗻𝗴 or data 𝗲𝘅𝗳𝗶𝗹𝘁𝗿𝗮𝘁𝗶𝗼𝗻. Fixing the triad is not that complicated. The challenge remains with the dynamic nature of how most of us our cloud accounts. Constantly changing based on business requirements. A good start is the scan for security miconfigs regularly. Scheduled scans which highlight these issues can help fight the Toxic Cloud Triad. #cloudsecurity #cloudrisk #toxiccloud ---- After spending 2 decades offering specialist application and cloud security guidance I firmly believe security needs to be effortless. Follow along as I learn how to build a company in cloud security 🔔

The most significant cyber threat we face isn't just from external attackers but from within—specifically, misconfigurations and inadequate change control. According to the latest Cloud Security Alliance "Top Threats to Cloud Computing" report, these issues now rank as the number one security concern by us in the industry, surpassing even identity and access management challenges. The implications are profound. With cloud environments offering persistent network access and almost limitless scalability, a single misconfiguration can lead to widespread vulnerabilities, leaving entire systems exposed. The shift to cloud demands that we rethink our approach to configuration management, moving away from traditional methods towards more dynamic, cloud-specific strategies. For mid-sized businesses, this means investing in third party vendors and automated tools that can continuously monitor and correct configurations in real-time, reducing the human error factor. The future of cloud security isn’t just about defense; it’s about proactive governance and adaptability. If you are utilizing the cloud, make sure you are securing your workflow smartly. (🔗 To the report here: https://lnkd.in/eJBn5yb7) #CloudSecurity #ITInfrastructure #Cybersecurity #ProactiveGovernance