Release Date: 23/11/2025 | Issue: 315
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

This week's articles


Cloudflare outage on November 18, 2025
Cloudflare suffered a service outage on November 18, 2025. The outage was triggered by a bug in generation logic for a Bot Management feature file causing many Cloudflare services to be affected.   #cloudflare   #announcement


Ingress NGINX Retirement: What You Need to Know
Kubernetes SIG Network announced the retirement of Ingress NGINX. Best-effort maintenance continues until March 2026, then no further releases or security updates. Users should migrate to Gateway API or alternative Ingress controllers immediately.   #kubernetes   #announcement


Anatomy of an Akira Ransomware Attack: When a Fake CAPTCHA Led to 42 Days of Compromise
Unit 42 recently assisted a global data storage and infrastructure company that experienced a destructive ransomware attack. What began with a single click on what appeared to be a routine website CAPTCHA evolved into a 42-day compromise that exposed critical gaps.   #attack   #defend


Terraform Stacks: A Deep-Dive for Azure Practitioners in Europe
This article explores Terraform Stacks for Azure on HCP Terraform EU. It covers designing stacks with components and deployments, building modules, configuring authentication via OIDC, passing data between stacks, and operational tasks like provisioning and managing stacks at scale.   #terraform   #iac   #azure


Weaponizing the AWS CLI for Persistence
This article demonstrates weaponizing AWS CLI aliases for stealthy persistence. A one-liner dynamically toggles alias activation to execute malicious payloads while preserving original command functionality, evading detection. The technique exfiltrates credentials post-execution and persists across sessions, useful for red team operations.   #aws   #attack


Managing Privileged Roles in Microsoft Entra ID
A three-tier model for classifying privileged Microsoft Entra ID roles: Tier 0 (core tenant administration/security), Tier 1 (major service component administration), and Tier 2 (limited-scope/read-only). Each tier has defined security controls, addressing inconsistencies in Microsoft's privileged role documentation.   #azure   #iam   #explain

Tools


Google Antigravity
A new agentic IDE from Google.


uncloud
A lightweight tool for deploying and managing containerised applications across a network of Docker hosts. Bridging the gap between Docker and Kubernetes.


mailgoose
A web application that allows the users to check whether their SPF, DMARC and DKIM configuration is set up correctly.


metis
An open-source, AI-driven tool for deep security code review.

AI


How to write a great agents.md: Lessons from over 2,500 repositories
A guide on how to write effective agents.md files for GitHub Copilot with practical tips, real examples, and templates from analyzing 2,500+ repositories.


SesameOp: Novel backdoor uses OpenAI Assistants API for command and control
Microsoft discovered SesameOp, a backdoor using OpenAI Assistants API for command-and-control communications. The malware employs .NET AppDomainManager injection, encryption, and compression to maintain stealth. Discovered during incident response in July 2025, it enabled long-term espionage persistence.


Practical LLM Security Advice from the NVIDIA AI Red Team
NVIDIA's AI Red Team identifies three critical LLM vulnerabilities: executing LLM-generated code via exec/eval enabling remote code execution, insecure RAG data store access control allowing data leakage and injection, and active content rendering in outputs enabling data exfiltration through malicious links/images.

From the cloud providers


#AWS   Simplified developer access to AWS with โ€˜aws loginโ€™
A new AWS Command Line Interface (AWS CLI) command, aws login, lets you start building immediately after signing up for AWS without creating and managing long-term access keys. You use the same sign-in method you already use for the AWS Management Console.


#AWS   AWS Organizations introduces direct account transfers between organizations
AWS Organizations now provides customers the ability to directly transfer an account to a different organization without first having to remove the account from their current organization.


#AWS   AWS CloudTrail adds data event aggregation to simplify security monitoring
Aggregation for data events streamlines security monitoring by consolidating high-volume AWS API activity into 5-minute summaries. These summaries highlight key trends like access frequency, error rates, and most-used actions, allowing teams to quickly identify patterns while maintaining access to detailed events when needed.


#AWS   Simplify access to external services using AWS IAM Outbound Identity Federation
AWS IAM now enables outbound identity federation, allowing developers to securely authenticate AWS workloads with external services using short-lived JSON Web Tokens instead of storing long-term credentials like API keys and passwords.


#GCP   Introducing the Emerging Threats Center in Google Security Operations
Google introduces the Emerging Threats Center in Google Security Operations, powered by Gemini AI. It automates detection engineering by ingesting threat intelligence, generating synthetic events, testing coverage, and creating detection rules to help security teams rapidly assess exposure and defensive posture against emerging threats.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini