CloudSec Wine

🔶 From Compromised Keys to Phishing Campaigns: Inside a Cloud Email Service Takeover Exposed cloud credentials become the launchpad for mass phishing, highlighting email services as a prime target in cloud exploitation campaigns. https://www.wiz.io/blog/wiz-discovers-cloud-email-abuse-campaign #aws

🔶🔴 GCP Workload Identity Federation with AWS ECS Tasks GCP Workload Identity Federation does not support AWS ECS tasks out of the box. Here is why and what you can do about it. https://agarabhishek.com/posts/gcp-workload-identity-federation-with-aws-ecs-tasks/ #aws #gcp

👩‍💻 Copilot Broke Your Audit Log, but Microsoft Won’t Tell You This article reveals a vulnerability in Microsoft 365 Copilot where users could access files without generating audit log entries by simply asking Copilot to omit file links. Microsoft fixed but chose not to disclose this issue. https://pistachioapp.com/blog/copilot-broke-your-audit-log #azure

🔶 AWS Shield network security director (preview) Use network security director to understand your AWS security configuration and to explore ways to strengthen it. https://docs.aws.amazon.com/waf/latest/developerguide/nsd-chapter.html (Use VPN to open from Russia) #aws

👩‍💻 Cloud forensics: Why enabling Microsoft Azure Storage Account logs matters Although often overlooked, Azure Storage logs can provide invaluable insights for digital forensics, helping investigators reconstruct attacker activity, trace data access patterns, and detect anomalies. https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/cloud-forensics-why-enabling-microsoft-azure-storage-account-logs-matters/4445723 #azure

🔶 Use scalable controls to help prevent access from unexpected networks AWS has introduced three new global condition keys for scalable access controls based on request origin: aws:VpceAccount, aws:VpceOrgPaths, and aws:VpceOrgID. https://aws.amazon.com/blogs/security/use-scalable-controls-to-help-prevent-access-from-unexpected-networks/ (Use VPN to open from Russia) #aws

👩‍💻 Illicit Consent-Granting & App Backdooring – Obtaining persistence in Entra This article details how attackers exploit Entra ID through OAuth consent injection and app backdooring, covering attack flows, MITRE ATT&CK mappings, detection strategies, and prevention methods for maintaining persistence in Azure environments. https://www.slashid.com/blog/entra-app-backdooring/ #azure

🔶 Sandboxed to Compromised: Credential Exfiltration Paths in AWS Code Interpreters The article discusses security vulnerabilities in AWS Code Interpreters, particularly focusing on sandboxed environments, and demonstrates that even sandboxed interpreters can access certain AWS services like S3, and their role credentials can be extracted through the Metadata Service. https://sonraisecurity.com/blog/sandboxed-to-compromised-new-research-exposes-credential-exfiltration-paths-in-aws-code-interpreters/ (Use VPN to open from Russia) #aws

🔶 Simplify multi-tenant encryption with a cost-conscious AWS KMS key strategy An efficient approach to managing encryption keys in a multi-tenant SaaS environment through centralization, addressing challenges like key proliferation, rising costs, and operational complexity across multiple AWS accounts and services. https://aws.amazon.com/ru/blogs/architecture/simplify-multi-tenant-encryption-with-a-cost-conscious-aws-kms-key-strategy/ (Use VPN to open from Russia) #aws

🔶 AWS CDK and SaaS Provider Takeover This article details a vulnerability where SaaS providers using AWS CDK bootstrap roles could have their accounts taken over through their own platform due to permissive IAM role trust policies lacking external ID protections. https://blog.ryanjarv.sh/2025/07/21/saas-provider-takeover.html (Use VPN to open from Russia) #aws

🔶 A new type of long-lived key on AWS: Bedrock API keys AWS has introduced a new type of long-lived key called Bedrock API keys, which are used for authenticating applications. These keys are created through the IAM API and can have an expiration time set, but there's no way to enforce this via IAM policy conditions. https://www.wiz.io/blog/a-new-type-of-long-lived-key-on-aws-bedrock-api-keys (Use VPN to open from Russia) #aws

🔶 AWS CDK and SaaS Provider Takeover This article details a vulnerability where SaaS providers using AWS CDK bootstrap roles could have their accounts taken over through their own platform due to permissive IAM role trust policies lacking external ID protections. https://blog.ryanjarv.sh/2025/07/21/saas-provider-takeover.html #aws

🔴 From silos to synergy: New Compliance Manager, now in preview Google Cloud Compliance Manager, now in preview, can help simplify and enhance how organizations manage security, privacy, and compliance in the cloud. https://cloud.google.com/blog/products/identity-security/streamline-auditing-compliance-manager-is-now-in-preview/ #gcp

🔴 Now available: Cloud HSM as an encryption key service for Workspace client-side encryption To help highly-regulated organizations meet their encryption key service obligation, Google is now offering Cloud HSM for Google Workspace CSE customers. https://cloud.google.com/blog/products/identity-security/introducing-cloud-hsm-as-an-encryption-key-service-for-workspace-cse/ #gcp

🔶 Another ECS Privilege Escalation Path Post covering a privilege escalation vector which relies on using functionality designed for the ECS agent to self-register a compromised EC2 and override a task definition. https://labs.reversec.com/posts/2025/08/another-ecs-privilege-escalation-path #aws

🔶 Enumerating AWS the quiet way: CloudTrail-free discovery with Resource Explorer Discover how attackers could quietly enumerate AWS resources via Resource Explorer, and how Datadog and AWS worked together to close the visibility gap. https://securitylabs.datadoghq.com/articles/enumerating-aws-the-quiet-way-cloudtrail-free-discovery-with-resource-explorer/ #aws

🔶 Using AWS Certificate Manager as a covert exfiltration mechanism This article demonstrates how AWS Certificate Manager can be exploited as a data exfiltration mechanism by storing arbitrary data in X.509 certificates' nsComments extension, allowing up to 2MB per certificate. https://me.costaskou.com/articles/acmfs/ #aws

🔶 Introducing AWS Cloud Control API MCP Server This MCP server allows to create, read, update, delete, and list resources using natural language. https://aws.amazon.com/ru/blogs/devops/introducing-aws-cloud-control-api-mcp-server-natural-language-infrastructure-management-on-aws/ #aws

🔶 Malware analysis on AWS: Setting up a secure environment The basic steps to build isolated sandbox environments, robust security controls, and proper monitoring policies to safely analyze malware. https://aws.amazon.com/ru/blogs/security/malware-analysis-on-aws-setting-up-a-secure-environment/ #aws

👩‍💻 OAuthSeeker: Leveraging OAuth Phishing for Initial Access and Lateral Movement on Red Team Engagements The Praetoran Labs team researched initial access vectors for red team engagements, focusing on malicious applications distributed through platforms like the Microsoft Store, including OAuth applications and malicious Outlook extensions. https://www.praetorian.com/blog/oauthseeker-leveraging-oauth-phishing-for-initial-access-and-lateral-movement-on-red-team-engagements/ #azure