Understanding Threat Actor Exploits in Cloud Infrastructure

🚨 ☁️ - New Recorded Future Insikt Group report! This is essential reading for anyone building or defending in modern hybrid, SaaS-heavy, or cloud-native environments. The report outlines a clear and uncomfortable reality: cloud environments are now central to how threat actors operate, not just a peripheral target. Please read and share with your networks! Our analysis highlights five key threat vectors shaping the current cloud threat landscape: cloud abuse, exploitation, endpoint misconfiguration, cloud ransomware, and credential abuse. What emerges is a picture of attackers who are not only exploiting misconfigured or vulnerable infrastructure but actively adopting cloud-native tooling and services for persistence, evasion, and impact. 🔑 Cloud abuse, in particular, is no longer rare — it’s routine. Threat actors are standing up their own infrastructure in AWS, Azure, Google Cloud, and even lesser-known providers, blending in with legitimate traffic to host C2 nodes, phishing kits, and credential harvesting sites. In some cases, they’re compromising victim cloud environments directly to mine cryptocurrency, exfiltrate data, or abuse expensive APIs like those tied to large language models — a tactic now known as “LLMjacking.” Initial access often starts with the usual suspects: misconfigured endpoints and exposed secrets or credentials, many of which are still discovered en masse through open-source scanners and repos. Credential abuse remains a direct path to full-tenant compromise, especially in environments lacking basic protections like passwordless auth or adaptive MFA. Threat actors have shown a growing ability to escalate privileges and maintain access by manipulating identity federation, forging SAML tokens, and abusing synchronization accounts — making cloud identity a persistent battleground. What makes this report especially valuable is that it doesn’t stop at threat modeling. It provides practical, grounded mitigation and detection strategies aligned to each phase of the attack chain. These include monitoring for suspicious cloud API usage, spotting unauthorized data exfiltration via storage buckets, detecting anomalous access patterns, and reinforcing controls over third-party and federated identities. It also urges organizations to revisit assumptions around visibility — many cloud compromises go unnoticed until the financial or operational damage is done, and native logging alone isn’t enough to catch sophisticated misuse. What’s most striking, though, is the strategic shift underway. Threat actors increasingly rely on cloud infrastructure not just as a target, but as a core part of their kill chain. As adoption accelerates, the question isn’t if cloud infrastructure will be targeted — it’s how much of your detection, logging, and identity controls are ready for when it is. Because at this stage, the cloud isn’t just someone else’s computer — it’s someone else’s kill chain.

Amazon discovers Advanced Persistent Threat (APT) exploiting Cisco and Citrix zero-days Amazon has successfully used its massive scale to detect Advanced Persistent Threats (APTs)—specifically Russian (APT29/Midnight Blizzard) and suspected Chinese actors (Volt Typhoon)—exploiting critical vulnerabilities in Cisco and Citrix edge devices. The Citrix vulnerability: CVE‑2025‑5777 (“Bleed Two”) was being exploited before public disclosure, as detected by Amazon’s honeypot service. The Cisco ISE vulnerability: newly discovered by Amazon and now designated CVE‑2025‑20337 — an unauthenticated remote code-execution flaw in Cisco ISE. Exploits were observed before the vendor had issued a CVE or provided full patches. After exploiting the Cisco ISE vulnerability, the threat actor deployed a custom web shell disguised as a legitimate ISE component (“IdentityAuditAction”). The web shell is highly stealthy: in-memory only, uses Java reflection, hooks into Tomcat HTTP request handling, uses DES encryption with a non-standard Base64 variant, and listens on specific HTTP headers for activation. The fact that the actor had custom tooling and exploited multiple zero-days before disclosure indicates they are well-resourced and have advanced capabilities (vulnerability research or access to private disclosures). The targeting of identity and network-access control infrastructure (Cisco ISE, Citrix NetScaler) is notable: these components sit at the heart of enterprise security policy, authentication, and access management. Their compromise gives broad potential access. Amazon Web Services, Inc. Pre-auth remote code execution means even well-configured systems (which may not require login) are vulnerable. Amazon Web Services, Inc. Patching gaps (i.e., zero-day exploits before vendor mitigations) continues to be a major risk—especially for critical enterprise appliances. This revelation highlights a major shift in cybersecurity warfare: The Shift to "Edge" Devices: APTs are moving away from attacking endpoints (laptops/servers) which have antivirus (EDR) installed. Instead, they are attacking Edge Devices (Firewalls, Load Balancers, Routers) like Cisco and Citrix gear. These devices generally do not support antivirus software and sit on the perimeter of the network, making them the perfect blind spot. Amazon as a "Neighborhood Watch": Amazon is positioning itself not just as a cloud provider, but as a global security intelligence firm. By sharing this data with CISA, Cisco, and Citrix, they effectively acted as an early warning system for the entire internet. Living off the Land: The attackers used legitimate administrative tools present on the devices to hide their activity, making detection extremely difficult without the kind of "decoy" intelligence Amazon possessed.

𝗝𝘂𝘀𝘁 𝗴𝗲𝘁𝘁𝗶𝗻𝗴 𝗶𝗻𝘁𝗼 𝗰𝗹𝗼𝘂𝗱 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆? 𝗧𝗵𝗲 𝗼𝗳𝗳𝗲𝗻𝘀𝗶𝘃𝗲 𝘀𝗶𝗱𝗲 𝗼𝗳 𝗶𝘁… One of the most important parts of offensive cloud security is enumeration understanding what's exposed, what's misconfigured, and where the doors are left open. 𝗛𝗲𝗿𝗲 𝗮𝗿𝗲 𝘁𝗵𝗲 𝘁𝗼𝗼𝗹𝘀 𝗜 𝘄𝗶𝘀𝗵 𝘀𝗼𝗺𝗲𝗼𝗻𝗲 𝗵𝗮𝗱 𝗽𝗼𝗶𝗻𝘁𝗲𝗱 𝗺𝗲 𝘁𝗼 𝗲𝗮𝗿𝗹𝗶𝗲𝗿 👇 ☁️ 𝗔𝗪𝗦 → AWS CLI — enumerate IAM roles, S3 buckets, EC2 instances, and more before touching any third-party tool. → Pacu — open-source AWS exploitation framework. Think Metasploit, but cloud-native. → S3Scanner — quickly finds open S3 buckets you didn't know were exposed. ☁️ 𝗚𝗖𝗣 → gcloud & gsutil — don't overlook the default SDK. List projects, enumerate IAM bindings, inspect storage buckets incredibly powerful for recon. ☁️ 𝗔𝘇𝘂𝗿𝗲 → Azure CLI (az) — enumerate subscriptions, resource groups, role assignments, and managed identities straight from the terminal. ☁️ 𝗠𝘂𝗹𝘁𝗶-𝗰𝗹𝗼𝘂𝗱 → ScoutSuite — audits AWS, Azure, GCP, Alibaba Cloud & OCI for misconfigurations. Great first stop. → Prowler — security benchmarking across AWS, GCP & Azure. CLI-based and beginner-friendly. → PurplePanda — maps privilege escalation paths within and across cloud environments & SaaS. → TruffleHog — scans for exposed secrets and credentials hiding in code repos and cloud storage. → Nuclei — fast, template-based scanner great for cloud-exposed attack surfaces. → Wiz — Cloud security platform that provides deep visibility into misconfigurations, toxic combinations, and attack paths across environments. Great for understanding real-world risk in context. Honest take: you don't need to master all of these at once. Pick one cloud provider, set up a free lab environment (AWS free tier is a great start), and just start poking around. Some learning resources; 🟡 AWSGoat: AWSGoat is a vulnerable by design AWS infrastructure featuring OWASP Top 10 web application security risks (2021) and AWS service based misconfigurations. - https://lnkd.in/ewZvYp7A 🟡 Pwned Labs: Free hosted labs for learning cloud security. - https://pwnedlabs.io/ 🟡 Hacktricks - https://lnkd.in/eUnsj7vZ 🟡 Awesome Cloud security https://lnkd.in/eEcnmXa2 The best way to learn offensive cloud security is by doing not just reading. What tools are you using to get started? Drop them below 𝗟𝗲𝘁’𝘀 𝗥𝗲𝗽𝗼𝘀𝘁 𝗳𝗼𝗿 𝗼𝘁𝗵𝗲𝗿𝘀 𝘁𝗼 𝗹𝗲𝗮𝗿𝗻 ♻️ 𝗔𝗻𝗱 𝗮𝘀 𝗮𝗹𝘄𝗮𝘆𝘀, 𝗹𝗲𝗮𝗿𝗻𝗶𝗻𝗴 𝗻𝗲𝘃𝗲𝗿 𝗲𝗻𝗱𝘀.

CrowdStrike released its 2026 Global Threat Report which provides an overview of threat actor behavior, operational trends, and emerging risks shaping cybersecurity this year. Some key highlights of the report include: * Breakout times continue to shrink, with threat actors moving laterally within minutes of initial access in many cases, increasing pressure on detection and response capabilities. * Credential abuse, token theft, and exploitation of identity infrastructure remain central techniques, reflecting a shift away from traditional malware-heavy intrusions. In these intrusions, threat actors engage directly with victim environments, using legitimate credentials, native tools, and administrative functions to move laterally and achieve objectives while blending into normal user behavior. * AI-enabled adversaries increased attacks by 89% year-over-year. Threat actors are incorporating AI to scale phishing, social engineering, reconnaissance, and content generation, increasing speed and plausibility of attacks. * The technology sector remained the most frequently targeted, reflecting its central role in critical business systems and supply chains. Consulting, manufacturing, retail, and other data-rich industries also experienced elevated activity. * 42% increase in zero-day vulnerabilities exploited prior to public disclosure. Adversaries continue to refine extortion models, including data theft–focused operations and multi-layered pressure tactics. Pages 48-49 contain some useful recommendations: - Prioritize identity protection: Implement strong identity governance, enforce phishing-resistant MFA, monitor credential misuse, and reduce overprivileged accounts to mitigate identity-based intrusions. - Strengthen cloud security posture: Continuously assess configurations, restrict excessive permissions, and monitor for anomalous API activity to reduce exposure in hybrid and multi-cloud environments. - Accelerate detection and response capabilities: Given compressed breakout times, organizations should focus on real-time monitoring, rapid containment procedures, and cross-domain visibility across endpoints, identity, and cloud. - Limit lateral movement opportunities: Segment networks, apply least-privilege principles, and monitor authentication flows to prevent attackers from expanding access once initial entry is achieved. - Enhance visibility into legitimate tool abuse: Since many attacks are malware-free, security programs should focus on behavioral detection and monitoring of trusted administrative tools and valid accounts. 

‼️ Insikt Group has reported that threat actors are increasingly taking over company cloud accounts and using built-in tools to steal data, disrupt operations, and demand payment. ✏️ Key points: Misconfigured internet-facing services and stolen credentials are giving attackers a path to seize powerful cloud roles, often gaining broad control with a single account. They then use legitimate cloud features to copy data, erase backups, and alter systems in ways that look like normal activity. For executives, this means a breach can spread faster, last longer, and cause greater financial and reputational damage before it is even detected. 💡 Key takeaway: The wider strategic shift this represents is a move toward exploiting cloud identity and built-in trust rather than relying on obvious malware. As more core systems, suppliers, and artificial intelligence services run in shared cloud environments, one compromised account or partner can create enterprise-wide consequences. Cloud exposure is now directly tied to business continuity and board-level risk. ❓ Resilience question: Ask your teams if a top-level cloud account were hijacked, how fast could we detect it and stop damage to data and backups? 📜 Read the report: https://lnkd.in/edPkjY9Z

The era of the "interactive hack" is over; we are witnessing the total industrialization of #cyber threats. The newly released 2026 Cloudflare Threat Report reveals how adversaries are weaponizing trust and scaling operations at machine speed. Here are the top three insights security leaders must address: #AI as an Exploit Engine: Attackers are prioritizing the "Measure of Effectiveness" over technical sophistication. Example: The GRUB1 threat actor actively uses AI to navigate unfamiliar environments and pinpoint high-value database tables just moments before a breach. #SaaS Supply Chain Weaponization: Third-party integrations have effectively replaced the traditional network perimeter. Example: A single compromised Salesloft Drift to Salesforce connection recently created a ripple effect, exposing hundreds of corporate tenants simultaneously. The End of Traditional #MFA: Threat actors are no longer "attacking the box"—they are "attacking the session". Example: Infostealers like LummaC2 actively harvest live session tokens, effectively turning ransomware deployment into a simple login event. To survive this shift, organizations must transition from reactive #infrastructure defense to a proactive, identity-centric zero trust model. Read the full 2026 Cloudflare #Threat Report for the complete strategic roadmap. Access the full report here: https://lnkd.in/gp7pJDnc