Release Date: 01/06/2025 | Issue: 290
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Ask CloudSecList: Now Live!

Newsletters are great but they're static. What if you could chat with one instead?

This week I started a small experiment: I've made CloudSecList conversational.
I turned 6+ years of CloudSecList newsletters and CloudSecDocs articles into something you can actually query. Ask about that container security tool from last year. Or AWS guardrails. Or whatever you half-remember.
No more scrolling through old issues or bookmarking tools you'll forget about.

Test it out and let me know what breaks:

cloudseclist.com/ask/
Sponsor

Learn how to detect, prioritize, and remediate misconfigurations across your cloud assets
Datadog Cloud Security Posture Management (CSPM) helps continuously surface security weaknesses resulting from misconfigurations across all cloud assets, including cloud accounts and containers. In this product brief, youโ€™ll learn how to:
  • Get a view of all your cloud assets in minutes
  • Continuously scan assets for misconfigurations and assess risk
  • Maintain compliance with industry standards
Read the brief

This week's articles


Hunting Adversarial Cloudflared Instances
Ransomware affiliates have long since abused Cloudflared tunnels to maintain persistent access to compromised environments. These tunnels can be utilized as a strong indicator of compromise when examined at-scale.   #attack   #cloudflare   #monitor


Remote Prompt Injection in GitLab Duo Leads to Source Code Theft
A hidden comment was enough to make GitLab Duo leak private source code and inject untrusted HTML into its responses.   #ai   #attack   #ci/cd


GitHub MCP Exploited: Accessing private repositories via MCP
Post showcasing a critical vulnerability with the official GitHub MCP server, allowing attackers to access private repository data.   #ai   #attack   #ci/cd


Google Spoofed Via DKIM Replay Attack
Learn how a convincing Google spoof used a DKIM replay attack to bypass email security and trick users with a fake subpoena. A real-world phishing example you need to see.   #attack   #gsuite


Salesforce Connected Apps: Navigating NHI Security Risks and Best Practices
Salesforce security sits in this weird no-man's-land. It's not clearly IT's job, not entirely the security team's responsibility, and sometimes falls partly on the Sales Ops roles in the business units themselves. Figuring out who truly "owns" permission management can turn into a serious headache.   #iam   #saas


Removing GitHub PATs and Private Keys From Google Cloud: Extending Token Server to Google Cloud
This article introduces the technologies, challenges, and solutions behind extending Token Server and migrating workloads on Google Cloud to use short-lived credentials.   #build   #ci/cd   #gcp   #iam


How Out-of-the-Box Helm Charts Can Breach Your Cluster
While these plug-and-play options greatly simplify the setup process, they often prioritize ease of use over security. As a result, a large number of applications end up being deployed in a misconfigured state by default, exposing sensitive data, cloud resources, or even the entire environment to attackers.   #attack   #kubernetes


Inside GitHub: How we hardened our SAML implementation
How GitHub addressed the challenges of securing their SAML implementation with this behind-the-scenes look at building trust in their systems.   #ci/cd   #defend   #iam

Sponsor

Your IDP doesn't catch everything, Stitchflow does

Stitchflow closes the critical 40% gap in your accounts that are not automatically deprovisioned by your IDP and lifecycle workflows. It continuously tracks every app, including non-SSO, contractor-heavy and legacy systems, and finds and fixes orphaned, hidden and unused accounts. Eliminate manual offboarding, security risk, wasted licenses, and compliance misses, all for less than the cost of a single appโ€™s SSO plan.
Track and fix your access gaps โ€” See Stitchflow in action

Tools


kubectl-rexec
Tooling to make audited kubectl exec easy. You can also refer to the companion blog post.


toolhive
Run and manage MCP servers easily and securely.


boto3-refresh-session
A simple Python package for refreshing AWS temporary credentials in boto3 automatically.


mcp-injection-experiments
Code snippets to reproduce MCP tool poisoning attacks.

From the cloud providers


#AWS   How to set up and track SLAs for resolving Security Hub findings
Step-by-step instructions for tracking Security Hub findings in each severity category against service-level agreements (SLAs) through visual dashboards.


#GCP   Mark Your Calendar: APT41 Innovative Tactics
Post which analyzes the malware delivery methods, technical details of the malware attack chain, discuss other recent APT41 activities, and share indicators of compromise (IOCs) to help security practitioners defend against similar attacks.


#GCP   Safer automated deployments with new Cloud Deploy features
New automations in the Cloud Deploy continuous delivery platform help keep production environments reliable and up-to-date.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini