All news with #cross-tenant access tag

Adobe Analytics ingestion bug leaked customer data

⚠️ Adobe warns that a performance optimization change to Adobe Analytics data collection introduced an ingestion bug on September 17, 2025 at 12:20 UTC that caused some organizations' tracking fields to be overwritten with values from other customers' streams. Adobe reverted the change on September 18 at 11:00 UTC, said the issue was not caused by malicious activity, and reported roughly 3–5% of collected rows were corrupted. Impacted channels include Data Feeds, Live Stream, scheduled reports, and downstream products; Adobe has instructed affected customers to immediately delete any data received during the incident window while engineering teams cleanse impacted datasets.

Storm-0501 Exploits Entra ID to Exfiltrate Azure Data

🔐 Microsoft Threat Intelligence reports that the financially motivated actor Storm-0501 has refined cloud-native techniques to rapidly exfiltrate and delete data in hybrid Azure environments. The group leveraged on-premises footholds—using tools such as Evil-WinRM and a DCSync attack—to compromise an Entra Connect server and identify a non-human synced Global Admin account without MFA. With that account the attackers registered a threat actor-owned federated tenant as a backdoor, escalated Azure privileges, and proceeded to mass-extract data and remove resources and backups before extorting victims through compromised Microsoft Teams accounts. Microsoft has updated Entra ID behavior, released Entra Connect 2.5.3.0 to support Modern Authentication, and recommended enabling TPM, enforcing MFA, and other hardening controls.

Salesloft OAuth Breach via Drift AI Exposes Salesforce Data

🔒 A campaign tied to threat actor UNC6395 exploited compromised OAuth and refresh tokens associated with the Drift chat integration to exfiltrate data from Salesforce instances connected via Salesloft. Observed between Aug 8 and Aug 18, 2025, the actor executed targeted queries to retrieve Cases, Accounts, Users and Opportunities and hunted for credentials such as AWS access keys and Snowflake tokens. Salesloft and Salesforce invalidated tokens, removed Drift from AppExchange, and advised affected customers to re-authenticate integrations and rotate credentials.

postMessage Risks: Token Exposure and Trust Boundaries

🔒 MSRC presents a deep dive into misconfigured postMessage handlers across Microsoft services and the systemic risk posed by overly permissive trust models. The report, authored by Jhilakshi Sharma on August 25, 2025, documents token exfiltration, XSS, and cross-tenant impact in real-world case studies including Bing Travel, web.kusto.windows.net, and Teams apps. It summarizes mitigations such as removing vulnerable packages, tightening Teams app manifests, enforcing strict origin checks for postMessage, and applying CSP constraints to reduce attack surface.

MURKY PANDA: Trusted-Relationship Cloud Threats and TTPs

🔒 Since late 2024 CrowdStrike's Counter Adversary Operations has tracked MURKY PANDA, a China‑nexus actor targeting government, technology, academic, legal and professional services in North America. The group exploits internet‑facing appliances, rapidly weaponizes n‑day and zero‑day flaws, and deploys web shells (including Neo‑reGeorg) and the Golang RAT CloudedHope. CrowdStrike recommends auditing Entra ID service principals and activity, enabling Microsoft Graph logging, hunting for anomalous service principal sign‑ins, prioritizing patching of cloud and edge devices, and leveraging Falcon detection and SIEM capabilities.

Defending Against SCATTERED SPIDER with Falcon SIEM

🔒 Falcon Next-Gen SIEM provides real-time, cross-domain detection to help organizations detect and respond to the identity-centric eCrime group SCATTERED SPIDER. The platform correlates identity, cloud, SaaS, network and email telemetry, offering out-of-the-box rule templates for phishing, MFA fatigue, suspicious SSO events and exfiltration. CrowdStrike recommends comprehensive log ingestion and tuning of these templates to improve detection and response across the full attack lifecycle.

Microsoft Patch Tuesday: August 2025 Security Fixes

🔒 Microsoft released fixes for more than 100 vulnerabilities in August 2025, including at least 13 rated Critical. Notable flaws include CVE-2025-53786, which lets attackers pivot from compromised on‑premises Exchange Server instances into cloud tenant services, and CVE-2025-53779 (BadSuccessor), a Kerberos dMSA weakness that can yield domain admin rights. Other high‑risk bugs affect GDI+, Word preview and NTLM; several fixes require configuration steps beyond patch installation.

AWS Nitro protections shield EC2 from L1TF Reloaded

🔒 AWS confirms that guest data on instances running on the Nitro System and Nitro Hypervisor is not at risk from the research known as L1TF Reloaded, and no additional customer action is required. The researchers demonstrate that the technique chains half-Spectre gadgets with L1 Terminal Fault (L1TF) to transiently leak data on some hypervisors, but Nitro’s security-first architecture prevented data extraction. Nitro’s design relies on eXclusive Page Frame Ownership (XFPO) secret hiding, a minimal hypervisor footprint, and layered mitigations; AWS also notes coordinated disclosure and that it sponsored part of the research.