All news with #infrastructure security tag

🛡️ Dutch authorities arrested two co-owners of related hosting companies and seized over 800 servers on May 18, alleging they operated infrastructure used by Russia for cyberattacks and influence operations targeting the EU. The arrests follow investigative reporting that linked MIRhosting and WorkTitans to Stark Industries, an ISP sanctioned by the EU for facilitating DDoS, proxy, and anonymity services tied to Russia-backed actors. Officials searched businesses and data centers and charged the suspects with violating sanctions law by making economic resources available to sanctioned entities. Both suspects deny wrongdoing and one company says it has paused services to the implicated client pending internal review.

🔧 This third post in the Azure IaaS series argues that cloud performance must be managed as a coordinated system across compute, storage, and networking rather than as isolated resource choices. It highlights platform features like Azure Boost, Ultra Disk, and Premium SSD v2 that offload processing, tune I/O, and decouple capacity from throughput. The article examines requirements for AI, cloud-native, and business-critical workloads and explains how Azure services such as AKS, Azure Container Storage, ExpressRoute, and advanced networking (eBPF/Cilium, Accelerated Networking) combine to deliver consistent, scalable, and recoverable performance.

⚠️ Some Windows 11 devices fail to complete Microsoft’s May Security Update when the EFI System Partition (ESP) has roughly 10MB or less free, producing the rollback message "Something didn’t go as planned. Undoing changes." Microsoft suggested a registry tweak or rollback while consultants warn this leaves endpoints unpatched and undermines trust in update validation. Experts recommend resizing partitions, testing fixes, and adding ESP checks to endpoint health.

📢 Amazon Elastic VMware Service (Amazon EVS) now supports up to 32 ESXi hosts per environment, doubling the previous 16-host limit. You can place hosts within VMware Cloud Foundation domains as a single large cluster, multiple smaller clusters, or combinations that match operational requirements, and submit a service quota increase to scale. This capability is available in all regions where Amazon EVS is offered and aims to reduce the overhead of managing multiple environments.

🔬 At Google, A/B experimentation extends beyond UI tweaks to critical infrastructure components like kernels, memory allocators, and schedulers. They run machine-level experiments on representative 1% subsets of the fleet to avoid selection bias and capture system-wide effects across colocated workloads. The framework enforces binary hermeticity and a strict two-step rollout so experiments can be activated and rolled back safely. Performance is assessed using application-defined productivity metrics, machine counters, and reliability signals.

🚀 Amazon Web Services has launched EC2 High Memory U7i instances in the AWS Europe (Paris) region, adding u7i-12tb.224xlarge and u7in-16tb.224xlarge. These 7th-generation instances use custom 4th-generation Intel Xeon Scalable (Sapphire Rapids) processors and provide 12 TiB or 16 TiB of DDR5 memory with 896 vCPUs. They offer up to 100 Gbps of Amazon EBS bandwidth, ENA Express, and up to 200 Gbps network bandwidth on the 16 TiB variant, delivering up to 45% better price performance versus prior U-1 instances. Ideal for mission-critical in-memory databases like SAP HANA, Oracle, and SQL Server.

🔒 The PQC Readiness Scanner automates inventory and continuous monitoring of AWS-terminated TLS endpoints — Application Load Balancer (ALB), Network Load Balancer (NLB), and Amazon API Gateway — to evaluate TLS policies for Post-Quantum Cryptography (PQC) readiness. It classifies endpoints into a three-tier framework (Tier 1: PQ-ready, Tier 2: PQ-ready with backward compatibility, Tier 3: not PQ-ready) and returns COMPLIANT/NON_COMPLIANT results with policy recommendations. Built as an AWS Config conformance pack with custom rules and Lambda functions, it supports organization-wide deployment via CloudFormation StackSets and S3-hosted artifacts. The scanner reduces manual review, tracks migration progress across accounts, and helps prioritize upgrades to TLS 1.3 with PQC key exchange.

🔧 At Cloudflare we encountered severe query slowdowns after changing partitioning for a large ClickHouse table to support per-namespace retention; the migration aimed to enable tenant-specific TTLs without thousands of tables. Usual metrics (I/O, memory, rows scanned, parts read) looked normal, but flame graphs exposed heavy lock contention in query planning and costly copies of a giant parts vector. We implemented shared locks, a shared cached parts view, and a binary-search-based prune on the partition key to avoid linear scans. These patches dramatically reduced SELECT latency and were contributed upstream.

🔒 Organizations have long focused on cyber defenses against breaches and ransomware, but new geopolitical tensions show major disruptions can originate in the physical world and target cloud and network infrastructure. As cloud systems become integral to national economies, the network itself becomes an attack surface requiring resilient-by-design architecture. Enterprises must embrace operational resilience, redundancy, and distributed controls to mitigate physical and systemic risks.

🛡️Organizations commonly implement strong identity, authentication and access policies under a zero-trust strategy, yet enforcement at the network traffic layer is frequently inconsistent. Gaps appear across ingress paths, load balancers, CDNs, TLS termination and east–west service communication, allowing traffic to bypass identity controls. Successful programs treat the traffic plane as the primary enforcement point: standardizing ingress, enforcing strict TLS baselines and mTLS, normalizing requests and maintaining end-to-end telemetry. The core message: mindset and policy alone are insufficient without consistent traffic-layer enforcement.

🔒 This AWS Security Blog post explains how to identify and secure open proxies in your AWS environment to prevent abuse, protect IP reputation, and control costs. It describes common proxy types—HTTP, SOCKS, transparent, and reverse—and the risks they introduce when misconfigured on EC2 instances, containers, and serverless functions. The guidance recommends strict access controls and authentication, deploying proxies in private subnets or via AWS PrivateLink, and restricting security groups and load balancers. It also emphasizes monitoring with VPC Flow Logs, CloudTrail, and GuardDuty, automated remediation, regular assessments with Amazon Inspector, and keeping incident response runbooks current.

🔒 Azure IaaS combines a layered defense-in-depth architecture with Microsoft’s Secure Future Initiative—secure by design, secure by default, and secure in operation—to protect compute, networking, storage, and operations. Hardware roots of trust, measured boot, and host isolation reduce platform exposure while VM protections such as Trusted Launch and confidential computing guard workloads at runtime. Network defaults enforce least privilege and private connectivity, and centralized telemetry in Azure Monitor and Defender for Cloud enables continuous detection and response.

🔧Cloudflare completed its Code Orange: Fail Small program after two quarters of focused engineering to prevent the November 18 and December 5, 2025 global outages. The work delivers safer configuration deployments through Snapstone, improved failure modes and segmentation to reduce blast radius, and revised break-glass and communications practices. Changes are codified in a mandatory Codex enforced by AI reviews to prevent regressions.

🔔 AWS Outposts racks now publish the LagStatus Amazon CloudWatch metric so operators can monitor Link Aggregation Group (LAG) connectivity directly from CloudWatch. A metric value of 1 denotes the LAG is operational and forwarding traffic, while 0 indicates it is down. The metric is available in all AWS commercial Regions and both AWS GovCloud (US-East and US-West) Regions where Outposts racks are supported. Use it with existing VifConnectionStatus and VifBgpSessionState metrics to isolate LAG, VIF, or BGP problems quickly.

🧩 Researchers at SentinelOne uncovered a modular malware framework compiled in 2005 that targeted engineering modeling software by corrupting high‑precision floating‑point arithmetic. The framework uses an embedded Lua VM inside a malicious service loader (svcmgmt.exe) and includes a kernel rootkit, fast16.sys, which applies 101 pattern rules to modify infected executables. The implant appears crafted for strategic sabotage, selectively altering simulation outputs and spreading across network shares to compromise multiple workstations.

🚀 Amazon Elastic VMware Service (Amazon EVS) now supports the i7i.metal-24xl Amazon EC2 bare-metal instance, providing a lower-core-count option with a 5th-generation Intel Xeon processor. This delivers improved cost-performance and scaling flexibility for VMware-based workloads on EVS. Customers can expect up to 23% better compute performance and over 10% better price performance versus i4i for x86 storage-optimized use cases. The release is available in Regions that offer both Amazon EVS and EC2 i7i.

📣 You can now create Amazon FSx for OpenZFS Single-AZ (HA) file systems in 17 additional AWS Regions across South America, Europe, Africa, Asia Pacific, and AWS GovCloud (US). FSx for OpenZFS delivers sub-millisecond latencies, multi-GB/s throughput, and ZFS capabilities such as snapshots, data cloning, and compression. The Single-AZ (HA) option is a cost-effective choice for workloads that require high availability within a single AZ but do not need cross-AZ storage redundancy.

🔍 Researchers from three Hong Kong universities demonstrated a method to extract acoustic information from fiber-optic cables by measuring vibration-induced changes in the optical signal. Their experiments showed that strong vibrations such as footsteps can be detected remotely, but clear human speech was not recoverable without a local audio-to-vibration converter or significant control over provider equipment. The attack relies on sending optical pulses and measuring Rayleigh scattering-related deviations, and while technically feasible, it remains an unlikely and costly targeted threat requiring access to the Optical Distribution Network or an implanted converter to amplify audio signals.

🚀 Google Cloud announced a set of compute updates at Next ’26 designed to run agentic AI alongside general-purpose workloads with improved performance and lower cost. Highlights include GA for Axion N4A CPUs and GKE Agent Sandbox on Axion N4A, preview of bare-metal C4A.metal, expanded Intel Xeon 6 C4 shapes, and new high-throughput networking and Hyperdisk storage options. These changes aim to provide adaptive, secure execution sandboxes, greater I/O and network bandwidth, and flexible pricing to avoid provisioning bottlenecks and reduce TCO.

🤖 Google announced its AI Hypercomputer — a unified infrastructure stack built to support agentic AI — at Google Cloud Next. The announcement bundles new hardware and software, including TPU 8t and TPU 8i, A5X GPU instances, Axion N4A CPUs, the Virgo Network, and major storage and GKE upgrades. Google says the stack is designed to accelerate training and inference, reduce latency, and improve cost and energy efficiency for large-scale, agent-native applications.