Release Date: 23/02/2025 | Issue: 276
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Cloud Data Security: AWS Best Practices
In this Varonis session, our cloud security experts provide essential best practices to help you maintain a secure AWS environment. You’ll discover new strategies that will help continually strengthen your cloud security posture, enforce least privilege, and fix misconfigurations when they arise. About Varonis: Your all-in-one SaaS platform to automatically find critical data, remediate exposure, & stop threats in the cloud and on-premises.
Watch on-demand now

This week's articles


Locked Out, Dropboxed In: When BEC threats innovate
Between January and February 2025, an opportunistic Business Email Compromise (BEC) threat actor carried out an Adversary-In-The-Middle (AiTM) attack against a professional services organization.   #attack   #defend   #saas


The Cat Flap - How to really Purrsist in AWS Accounts
A playful guide to creating covert backdoors in AWS accounts, specifically using the AWSControlTowerExecution role.   #attack   #aws


Investigating Anonymous VPS services used by Ransomware Gangs
Post investigating a small UK-based hosting provider that appear to have been misused by cybercriminals to host command-and-control (C2) servers via their Anonymous VPS service.   #attack   #saas


Abusing AWS Serverless Image Handler
The AWS solution "Dynamic Image Transformation for Amazon CloudFront", previously known as "AWS Serverless Image Handler", contains a configuration weakness where the role associated with the Lambda does not constrain which buckets can be accessed. The environment variable can be set to a wildcard allowing access to any bucket.   #attack   #aws


GymTok: Breaking TLS Using the Alt-Svc Header
Ever wondered what the Alt-Svc response header is used for? Turns out it can be used to become a Man-in-the-Middle and attack TLS!   #attack


6 Months of Researching OAuth Application Attacks
Huntress has spent the last 6 months researching and cracking down on malicious OAuth applications.   #attack   #defend   #saas


Emulating AWS S3 SSE-C Ransom for Threat Detection
Article exploring how threat actors leverage Amazon S3's Server-Side Encryption with Customer-Provided Keys (SSE-C) for ransom/extortion operations.   #attack   #aws


How Did Singapore Bypass Your US-Only Conditional Access?
Microsoft's geolocation service misidentified the Singapore logins as originating from the Eastern Seaboard (New York, New Jersey, Virginia).   #attack   #azure

Sponsor

Stop Missing Critical Vulnerabilities Your SAST Can't See
Traditional SAST tools generate endless false positives while missing complex vulnerabilities that matter. ZeroPath uses AI to deeply understand your codebase, catching everything from SQL injection to broken authentication—the same technology that helped us scalably discover zero-days in public repositories. Eliminate noise and catch real threats with automated security reviews and one-click patches that developers actually want to use.
Schedule a demo to see how AI transforms SAST

Tools


rogueapps
This repository documents TTPs associated with OIDC/OAuth 2.0 application attacks.


ExtensionHound
A security analysis tool that identifies DNS queries made by browser extensions, empowering security teams to detect and investigate suspicious activities.


cazadora
Simple hunting script for suspicious M365 OAuth Apps.


aws-cross-region-dr-databases
Automate Cross Region DR Solution for AWS Databases (RDS, Aurora and ElastiCache).

From the cloud providers


#AWS   AWS CloudTrail network activity events for VPC endpoints are now generally available
You can enable network activity events for VPC endpoints for five AWS Services: S3, EC2, KMS, Secrets Manager, and CloudTrail.


#AWS   Introducing the AWS Trust Center
Amazon launched the AWS Trust Center, a new online resource that shares how they approach securing customer assets in the cloud.


#AWS   How to restrict Amazon S3 bucket access to a specific IAM role
How to restrict S3 bucket access to a specific IAM role or user within an account by using the Conditions element.


#GCP   The Google Workspace Policy API is now generally available
The Policy API lets super admins programmatically access information regarding how their Google Workspace environment service level settings and rules are configured.


#GCP   Announcing quantum-safe digital signatures in Cloud KMS
Google announced quantum-safe digital signatures (FIPS 204/FIPS 205) in Google Cloud Key Management Service (Cloud KMS) for software-based keys, available in preview.


#GCP   Workspace data loss protection (DLP) for Gmail is now generally available
Data Loss Prevention (DLP) is generally available in Gmail, alongside Drive and Chat.


#AZURE   Securing DeepSeek and other AI systems with Microsoft Security
Microsoft Security can also be used to help enterprises secure and govern AI apps built with the DeepSeek R1 model.

Business News

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini