< ciso
brief />
Tag Banner

All news with #cloud account compromise tag

62 articles

AI-Driven Breaches Force Rethink of Incident Response

πŸ›‘οΈ Enterprises face a new class of attacks as threat actors leverage AI agents to automate entire intrusion chains, dramatically compressing the time from initial access to deep compromise. Reports from Sygnia and Sysdig document AI-enabled campaigns that harvest credentials, map services, and persist across cloud environments, often exploiting known vulnerabilities rather than zero-days. Experts warn that traditional, human-speed incident response and hunting are often too slow, and emphasize the need for integrated, AI-assisted defenses and rigorous hygiene: fast patching, secrets rotation, least privilege, segmentation, and automated response playbooks.
read more β†’

Novel OAuth Client ID Spoofing Targets Cloud

πŸ”’ Cyber-attackers are increasingly using OAuth client ID spoofing to access cloud environments by abusing Microsoft Entra ID (formerly Azure AD). Proofpoint researchers found threat actors issuing ROPC token requests to the OAuth 2.0 endpoint, producing AADSTS error codes that reveal valid usernames and authentication controls. The technique produces blank or spoofed application IDs in Entra sign‑in logs, making detection difficult and enabling large-scale campaigns targeting millions of accounts.
read more β†’

AI-Accelerated Cloud Attack Exploits Management Gaps

πŸ”Ž A Sygnia report details how a lone threat actor leveraged AI to complete in 72 hours what would normally take weeks, using established cloud attack techniques rather than novel exploits. The attacker obtained an AWS access key via an internet-facing app and used agentic AI workflows to search for secrets, establish persistence, exfiltrate RDS data, and perform impact actions. The report highlights gaps in secrets management, identity governance, deployment workflows and visibility, and provides containment recommendations for defenders.
read more β†’

Massive Microsoft 365 password spray attack exposed

πŸ”’ Microsoft users experienced a large-scale automated password spray campaign that targeted accounts indiscriminately, including clients of security firm Huntress. Huntress reported 81 million login attempts against its customers between June 12 and 26, with at least 78 successful compromises. Attack traffic originated from an IPv6 range tied to LSHIY LLC, which has since cut service to the offending customer. The attackers abused the OAuth ROPC flow to replay valid credentials, bypassing protections where MFA was not enforced for all cloud apps or all user groups.
read more β†’

High-severity Amazon Q MCP flaw enables cloud theft

πŸ›‘οΈ A high-severity flaw in Amazon Q Developer allowed a malicious repository to spawn MCP servers and execute commands, exposing a developer's cloud credentials. Wiz Research discovered the issue and demonstrated that a single config file (.amazonq/mcp.json) in a cloned repo could trigger AWS credential theft. Amazon patched the vulnerability, tracked as CVE-2026-12957 (CVSS 8.5), and updated Language Servers for AWS and IDE plugins to require explicit consent for untrusted MCP servers.
read more β†’

Cloud bucket hijacking risks across major providers

πŸ”’ Unit 42 researchers describe a bucket hijacking technique that exploits globally unique storage bucket names across major cloud providers. By deleting a target bucket and recreating it under an attacker-controlled account with the same name, data streams (logs, Pub/Sub, replication, transfer jobs, etc.) can be silently rerouted to an adversary. The team validated the attack across Google Cloud, AWS and demonstrated cross-subscription scenarios in Azure, and has shared findings with the affected vendors.
read more β†’

Infinite Campus Salesforce Breach Exposes Staff Data

πŸ”’ Infinite Campus disclosed a Salesforce data theft in March that exposed personal information for school staff across its K‑12 customer base. The attacker, linked to groups known for targeting Salesforce instances, allegedly leaked a 1.2GB archive. Have I Been Pwned found data from 137,100 accounts, including names, emails, job titles and contact details. Infinite Campus said most exposed items appear to be directory information commonly published by schools.
read more β†’

Attackers Exfiltrate Exchange Executive Mailbox

πŸ“§ Symantec and Carbon Black disclosed that unknown attackers maintained quiet access to a senior executive's Outlook mailbox at a major global stock exchange for at least five months, repeatedly copying messages and routing them through Dropbox and OneDrive to blend with normal cloud activity. The intruders used a mailbox stealer built on Aspose, ran binaries impersonating legitimate updaters and OneDrive, and staged additional backdoors before access likely ended in March 2026. Indicators point to espionage-focused credential theft and tunneling tooling rather than a financially motivated campaign.
read more β†’

When Identity Becomes the Primary Attack Path in the Cloud

πŸ” This article examines how identities β€” user, machine, and AI agent credentials β€” have become primary attack paths across hybrid environments. It uses real-world examples like cached access keys and forgotten role assignments to show how isolated identity weaknesses chain into exploitable routes. The piece explains why traditional IGA and PAM tools miss these cross-boundary paths and calls for unified mapping of identity, permissions, and environment context to prevent breaches.
read more β†’

Preventing Unauthorized AWS Organizations Account Removal

πŸ”’ The AWS Customer Incident Response Team describes a tactic where attackers use credentials with the organizations:LeaveOrganization permission to remove a member account from an AWS Organization, bypassing inherited safeguards such as Service Control Policies and centralized management. After removal, the account is disentangled from consolidated billing, organization-wide CloudTrail trails, and delegated GuardDuty findings, reducing visibility. The post urges deploying the DenyLeaveOrganizationSCP, enforcing least privilege, securing root users with MFA and centralized root management, and updating detection and response workflows to monitor related CloudTrail events.
read more β†’

Storm-2949 Abuses SSPR and MFA to Exfiltrate Azure Data

πŸ” Microsoft reports that a threat actor tracked as Storm-2949 is abusing Self-Service Password Reset (SSPR) and social engineering to steal Microsoft Entra ID credentials and bypass MFA for privileged users. The attackers trick targets into approving authentication prompts, reset passwords, remove MFA, and enroll Microsoft Authenticator on attacker devices. Using Microsoft Graph and custom scripts they enumerate tenants, exfiltrate files from OneDrive and SharePoint, and pivot into Azure to harvest secrets from Key Vaults, storage accounts, and SQL databases. Microsoft recommends least privilege, conditional access, phishing-resistant MFA for admins, limiting RBAC, and extended Key Vault logging to mitigate these attacks.
read more β†’

Storm-2949: Identity Compromise Leads to Cloud Breach

πŸ” Microsoft Threat Intelligence details how Storm-2949 converted targeted identity compromise into a broad cloud breach, exfiltrating data from Microsoft 365 and production workloads in Azure. The actor abused SSPR-based social engineering to bypass MFA, performed directory discovery via Graph API, and leveraged management-plane operations to retrieve Key Vault secrets and download large volumes of data. Organizations should adopt behavior-based detections such as Microsoft Defender and tighten RBAC and administrative controls to detect and mitigate similar identity-driven cloud attacks.
read more β†’

Zara Data Breach Exposes Personal Data of 197,000 Customers

πŸ”“ Have I Been Pwned says hackers exfiltrated data tied to Zara affecting 197,400 unique email addresses and associated order SKUs, order IDs, market information, and support tickets. Inditex confirmed the compromised databases were hosted by a former technology provider but said attackers did not access names, phone numbers, postal addresses, credentials, or payment card data. The extortion group ShinyHunters claimed responsibility and posted a 140GB archive allegedly taken from BigQuery using compromised Anodot tokens.
read more β†’

PCPJack Campaign Removes TeamPCP Artifacts from Cloud

πŸ”’ Security researchers uncovered PCPJack, a credential‑theft framework that targets exposed cloud infrastructure and removes artifacts tied to TeamPCP. SentinelOne reports PCPJack worms through services to harvest credentials from Docker, Kubernetes, Redis, MongoDB, RayML and vulnerable web apps. Unlike many cloud campaigns it omits crypto‑mining and actively removes TeamPCP miner code, indicating monetization through credential theft, resale, fraud or extortion.
read more β†’

PCPJack worm steals cloud credentials and cleans TeamPCP

πŸ› PCPJack is a new worm that targets exposed cloud infrastructure to harvest credentials while actively removing traces of rival group TeamPCP. It infects Linux systems via a shell script (bootstrap.sh), establishes persistence (monitor.py), and propagates by scanning for exposed Docker, Kubernetes, Redis, MongoDB and RayML services. Stolen credentials are encrypted with X25519/ChaCha20-Poly1305 and exfiltrated to Telegram channels; researchers recommend MFA, IMDSv2 and least-privilege controls.
read more β†’

PCPJack credential stealer targets cloud, displaces TeamPCP

πŸ”’ SentinelOne researchers led by Alex Delamotte disclosed PCPJack, a modular credential-theft framework that targets exposed cloud, container, developer, productivity, and financial services while actively removing artifacts tied to TeamPCP. The campaign boots via a shell script that prepares the host, installs Python, fetches six purpose-built Python payloads, and launches an orchestrator that exploits known CVEs and propagates in a worm-like fashion. Stolen credentials are encrypted and exfiltrated to attacker-controlled Telegram channels, and a secondary script harvests service keys from IMDS, Kubernetes service accounts, and Docker instances for a wide range of services including OpenAI and 1Password.
read more β†’

Developer's Roblox cheat triggers $2M data breach

πŸ”’ A developer at an AI startup downloaded a dubious Roblox script onto a work laptop, a single error that cascaded into a costly breach and caused roughly $2 million in remediation. The episode also highlights the long-standing SS7 telecom weakness that enables pervasive mobile tracking and interception. Host Graham Cluley and guest James Ball interview Rob Edmondson of CoreView about how to lock down Microsoft 365 before misconfigurations are exploited.
read more β†’

Lessons from the Vercel Breach: Shadow AI & OAuth Risk

πŸ”’ The Vercel incident highlights how employee-installed AI apps can create persistent OAuth bridges between core enterprise systems and third parties, turning shadow AI into a critical attack vector. In the Vercel case a trial use of Context.ai granted access to Google Workspace, and when Context.ai was breached attackers leveraged stored tokens to pivot into Vercel. The piece urges admins to adopt default-deny consent, routinely audit integrations, and extend controls beyond primary clouds to manage OAuth sprawl.
read more β†’

Microsoft asks iPhone users to re-enter Outlook creds

πŸ“§ Microsoft has asked iPhone users to manually re-enter credentials in the default Mail app to restore access to Outlook and Hotmail accounts after a global sign-in outage. The company reported intermittent sign-in failures and some users being signed out or seeing "too many requests" errors, attributing the disruption to a "recently introduced change." Service health was reported as restored around 7 PM UTC, but iOS users must follow a step-by-step procedure in Settings β†’ Mail β†’ Accounts to update passwords. Microsoft has not disclosed the outage's root cause, scale, or affected regions.
read more β†’

UNC6692 Uses Microsoft Teams to Deploy SNOW Malware

πŸ”’ Mandiant attributes a newly documented cluster, UNC6692, with social-engineering campaigns via Microsoft Teams that coerce victims into installing malicious software and browser extensions. The actor leverages large-scale email-bombing to create urgency, then impersonates IT helpdesk staff to deliver an AutoHotkey-based installer hosted on attacker-controlled AWS S3. That installer loads the SNOW malware family β€” including SNOWBELT, SNOWGLAZE, and SNOWBASIN β€” enabling credential theft, tunneling, lateral movement, and data exfiltration.
read more β†’