All news with #cloud account compromise tag

🔐 This article examines how identities — user, machine, and AI agent credentials — have become primary attack paths across hybrid environments. It uses real-world examples like cached access keys and forgotten role assignments to show how isolated identity weaknesses chain into exploitable routes. The piece explains why traditional IGA and PAM tools miss these cross-boundary paths and calls for unified mapping of identity, permissions, and environment context to prevent breaches.

🔒 The AWS Customer Incident Response Team describes a tactic where attackers use credentials with the organizations:LeaveOrganization permission to remove a member account from an AWS Organization, bypassing inherited safeguards such as Service Control Policies and centralized management. After removal, the account is disentangled from consolidated billing, organization-wide CloudTrail trails, and delegated GuardDuty findings, reducing visibility. The post urges deploying the DenyLeaveOrganizationSCP, enforcing least privilege, securing root users with MFA and centralized root management, and updating detection and response workflows to monitor related CloudTrail events.

🔐 Microsoft reports that a threat actor tracked as Storm-2949 is abusing Self-Service Password Reset (SSPR) and social engineering to steal Microsoft Entra ID credentials and bypass MFA for privileged users. The attackers trick targets into approving authentication prompts, reset passwords, remove MFA, and enroll Microsoft Authenticator on attacker devices. Using Microsoft Graph and custom scripts they enumerate tenants, exfiltrate files from OneDrive and SharePoint, and pivot into Azure to harvest secrets from Key Vaults, storage accounts, and SQL databases. Microsoft recommends least privilege, conditional access, phishing-resistant MFA for admins, limiting RBAC, and extended Key Vault logging to mitigate these attacks.

🔐 Microsoft Threat Intelligence details how Storm-2949 converted targeted identity compromise into a broad cloud breach, exfiltrating data from Microsoft 365 and production workloads in Azure. The actor abused SSPR-based social engineering to bypass MFA, performed directory discovery via Graph API, and leveraged management-plane operations to retrieve Key Vault secrets and download large volumes of data. Organizations should adopt behavior-based detections such as Microsoft Defender and tighten RBAC and administrative controls to detect and mitigate similar identity-driven cloud attacks.

🔓 Have I Been Pwned says hackers exfiltrated data tied to Zara affecting 197,400 unique email addresses and associated order SKUs, order IDs, market information, and support tickets. Inditex confirmed the compromised databases were hosted by a former technology provider but said attackers did not access names, phone numbers, postal addresses, credentials, or payment card data. The extortion group ShinyHunters claimed responsibility and posted a 140GB archive allegedly taken from BigQuery using compromised Anodot tokens.

🔒 Security researchers uncovered PCPJack, a credential‑theft framework that targets exposed cloud infrastructure and removes artifacts tied to TeamPCP. SentinelOne reports PCPJack worms through services to harvest credentials from Docker, Kubernetes, Redis, MongoDB, RayML and vulnerable web apps. Unlike many cloud campaigns it omits crypto‑mining and actively removes TeamPCP miner code, indicating monetization through credential theft, resale, fraud or extortion.

🐛 PCPJack is a new worm that targets exposed cloud infrastructure to harvest credentials while actively removing traces of rival group TeamPCP. It infects Linux systems via a shell script (bootstrap.sh), establishes persistence (monitor.py), and propagates by scanning for exposed Docker, Kubernetes, Redis, MongoDB and RayML services. Stolen credentials are encrypted with X25519/ChaCha20-Poly1305 and exfiltrated to Telegram channels; researchers recommend MFA, IMDSv2 and least-privilege controls.

🔒 SentinelOne researchers led by Alex Delamotte disclosed PCPJack, a modular credential-theft framework that targets exposed cloud, container, developer, productivity, and financial services while actively removing artifacts tied to TeamPCP. The campaign boots via a shell script that prepares the host, installs Python, fetches six purpose-built Python payloads, and launches an orchestrator that exploits known CVEs and propagates in a worm-like fashion. Stolen credentials are encrypted and exfiltrated to attacker-controlled Telegram channels, and a secondary script harvests service keys from IMDS, Kubernetes service accounts, and Docker instances for a wide range of services including OpenAI and 1Password.

🔒 A developer at an AI startup downloaded a dubious Roblox script onto a work laptop, a single error that cascaded into a costly breach and caused roughly $2 million in remediation. The episode also highlights the long-standing SS7 telecom weakness that enables pervasive mobile tracking and interception. Host Graham Cluley and guest James Ball interview Rob Edmondson of CoreView about how to lock down Microsoft 365 before misconfigurations are exploited.

🔒 The Vercel incident highlights how employee-installed AI apps can create persistent OAuth bridges between core enterprise systems and third parties, turning shadow AI into a critical attack vector. In the Vercel case a trial use of Context.ai granted access to Google Workspace, and when Context.ai was breached attackers leveraged stored tokens to pivot into Vercel. The piece urges admins to adopt default-deny consent, routinely audit integrations, and extend controls beyond primary clouds to manage OAuth sprawl.

📧 Microsoft has asked iPhone users to manually re-enter credentials in the default Mail app to restore access to Outlook and Hotmail accounts after a global sign-in outage. The company reported intermittent sign-in failures and some users being signed out or seeing "too many requests" errors, attributing the disruption to a "recently introduced change." Service health was reported as restored around 7 PM UTC, but iOS users must follow a step-by-step procedure in Settings → Mail → Accounts to update passwords. Microsoft has not disclosed the outage's root cause, scale, or affected regions.

🔒 Mandiant attributes a newly documented cluster, UNC6692, with social-engineering campaigns via Microsoft Teams that coerce victims into installing malicious software and browser extensions. The actor leverages large-scale email-bombing to create urgency, then impersonates IT helpdesk staff to deliver an AutoHotkey-based installer hosted on attacker-controlled AWS S3. That installer loads the SNOW malware family — including SNOWBELT, SNOWGLAZE, and SNOWBASIN — enabling credential theft, tunneling, lateral movement, and data exfiltration.

🔒 Vercel said it has identified an additional set of customer accounts compromised as part of an incident after expanding its indicators of compromise and reviewing network requests and environment‑variable read events. The company reported a small number of accounts showing prior compromise that predates this incident and may stem from social engineering, malware, or other methods, and confirmed it notified affected parties. Investigators traced the chain to a compromise of Context.ai that allowed takeover of a Google Workspace account and pivoting into Vercel; further analysis points to Lumma Stealer as a likely initial payload.

🔍 Microsoft observed North Korea-aligned actors posing as legitimate hires—using stolen or fabricated identities and generative AI—to gain trusted access to corporate SaaS. They target external career sites and Workday Recruiting APIs (hrrecruiting/*) to submit convincing applications, complete onboarding, then use legitimate accounts to access Teams, SharePoint, OneDrive, and Exchange Online. Defenders should correlate multi-source telemetry, enable Microsoft Defender for Cloud Apps connectors, and monitor behavioral anomalies in candidates and new hires.

🔒 Vercel has confirmed a cyber incident in which a "highly sophisticated" attacker exploited the third-party tool Context.ai after an employee authorized the app. The adversary used that access to take over the employee's Vercel Google Workspace account and accessed several environments and environment variables not marked as sensitive; sensitive variables are stored unreadable and show no evidence of access. Vercel says npm packages and major projects like Next.js were not compromised, has engaged Mandiant to investigate, and is notifying affected customers while advising MFA, rotation of exposed variables, and strengthened deployment protections.

🔒 Vercel disclosed a security breach tied to a compromised Context.ai account used by an employee, which enabled an attacker to take over the employee's Vercel Google Workspace account. The actor accessed some Vercel environments and environment variables that were not marked sensitive, while encrypted sensitive variables show no evidence of exposure. Vercel is working with Mandiant, law enforcement and Context.ai, and has contacted affected customers to rotate credentials and investigate further.

🔐 Breakglass Intelligence reports that China-aligned APT41 is deploying an obfuscated Linux ELF backdoor to harvest cloud credentials across AWS, GCP, Azure and Alibaba Cloud. The implant uses a selective SMTP-based C2 over port 25 and typosquatted Alibaba-themed domains hosted in Singapore to exfiltrate tokens and metadata while avoiding scanners. The malware queries instance metadata endpoints (169.254.169.254), sends stolen IAM, service account and managed identity credentials, and emits periodic UDP broadcasts to 255.255.255.255:6006 to coordinate lateral movement. Defenders should monitor SMTP egress, unusual metadata access, unknown ELF binaries, and connections to Alibaba-lookalike domains.

🪙 Bitcoin Depot confirmed on March 23, 2026 that an unauthorized actor accessed portions of its corporate IT environment and transferred approximately 50.903 BTC (about $3.665 million) from company-controlled wallets. The operator of more than 25,000 Bitcoin ATMs said it promptly activated incident response protocols, engaged external cybersecurity experts, and notified law enforcement while believing customer platforms and systems were not affected. On April 6, the company declared the incident material and warned that its cyber insurance may not cover all losses as the investigation continues.

🔐 Over a dozen companies experienced data theft after attackers used stolen authentication tokens from a breached SaaS integrator to access cloud accounts. The majority of observed incidents targeted Snowflake, which reported "unusual activity" and said a small number of customer accounts were impacted. Snowflake emphasized that its systems were not compromised and that it locked down potentially affected accounts and notified customers. BleepingComputer sources point to an alleged breach at Anodot, and the extortion gang ShinyHunters claims responsibility.

🔒 Unit 42 details how widespread Kubernetes attacks—driven by identity theft and exposed services—enable escalation from containers into cloud backends. The report highlights stolen service account tokens and the rapid exploitation of React2Shell (CVE-2025-55182), showing how attackers extract mounted tokens and cloud credentials. Practical mitigations include strict RBAC, short-lived projected tokens, runtime telemetry, and API audit logging. Unit 42 maps these behaviors to MITRE ATT&CK and provides detection examples.