aws

Lone Attacker Uses AI to Breach AWS Cloud Environment in 72 Hours

A lone attacker leveraged AI-driven workflows to quickly exploit multiple weaknesses across an AWS cloud environment, conducting extensive reconnaissance, credential harvesting, and deployment pipeline abuse within 72 hours, leading to financial extortion of a major Amazon customer. The attacker chained together vulnerabilities in applications, cloud resources, and CI/CD pipelines to systematically steal secrets, create backdoors, and disrupt operations, demonstrating an accelerated attack tempo enabled by AI. Security experts warn organizations must enhance automated detection, response capabilities, and containment procedures to address the increased speed and scale of AI-assisted cloud attacks.

https://www.darkreading.com/cloud-security/lone-attacker-ai-breach-aws-cloud-environment

European Commission Investigating Breach After Amazon Cloud Account Hack

The European Commission is investigating a security breach after a threat actor accessed one of its Amazon Web Services cloud accounts, reportedly stealing over 350 GB of data including multiple databases. Although AWS confirmed no security incident on their platform, the Commission’s cybersecurity team detected the attack quickly, and the threat actor has stated intentions to leak the stolen data online without extorting the Commission.

https://www.bleepingcomputer.com/news/security/european-commission-investigating-breach-after-amazon-cloud-account-hack/

CodeBreach: Supply Chain Vuln & AWS CodeBuild Misconfig

Wiz Research uncovered a critical vulnerability, named CodeBreach, in AWS CodeBuild that allowed unauthorized access to key AWS GitHub repositories, notably the JavaScript SDK for the AWS Console. This flaw, stemming from unanchored regex filters in build triggers, let attackers exploit CI/CD processes to extract sensitive credentials, potentially compromising many AWS accounts. Recommendations for safeguarding against such vulnerabilities include implementing strict build gates and securing GitHub connections. AWS promptly remediated the issue and issued additional hardening measures in response to the findings. The incident underscores the increasing targeting of CI/CD environments by attackers.

https://www.wiz.io/blog/wiz-research-codebreach-vulnerability-aws-codebuild

Botnet Takes Advantage of AWS Outage to Smack 28 Countries

Mirai-based botnet ShadowV2 emerged during an AWS outage, infecting IoT devices globally and potentially testing for future attacks, as reported by Fortinet. It exploited device vulnerabilities to orchestrate DDoS attacks, affecting 28 countries across various sectors. Although its activity was limited to the outage period, it highlights ongoing IoT security weaknesses, prompting calls for better device protection and monitoring.

https://www.theregister.com/2025/11/26/miraibased_botnet_shadowv2/

A Single DNS Race Condition Brought AWS to Its Knees

A race condition in Amazon's DynamoDB DNS management caused a major outage, disrupting services and estimated damage in the hundreds of billions. The error began on October 19, 2025, when the system left an empty DNS record due to a timing conflict between DNS planners and enactors. This led to widespread failures, impacting EC2 launches and other AWS services. Amazon has suspended the affected automation until fixes are implemented.

https://www.theregister.com/2025/10/23/amazon_outage_postmortem/

Summary of the Amazon DynamoDB Service Disruption in the Northern Virginia (US-EAST-1) Region

DynamoDB Incident Summary (Oct 19-20, 2025): Service disruption occurred in N. Virginia (us-east-1) due to DNS failures affecting API, EC2, NLB, and other services. Latent defect in DNS management led to failed connections and increased errors across multiple AWS services. Recovery actions taken included engineering interventions and system restarts, with full services restored by Oct 20. Improvements planned to prevent recurrence and enhance reliability.

https://aws.amazon.com/message/101925/

How Attackers Abuse S3 Bucket Namesquatting — And How to Stop Them

TLDR: S3 bucket namesquatting exploits predictable naming in AWS S3 buckets, allowing attackers to hijack or manipulate them. Users often rely on default naming conventions, making it easy for bad actors to pre-register bucket names. This leads to security risks, including data breaches and compromised traffic. To prevent this, users should customize bucket names, ensure proper security configurations, and regularly audit for vulnerabilities. Varonis offers solutions for identifying and mitigating risks associated with S3 bucket namesquatting.

https://www.bleepingcomputer.com/news/security/how-attackers-abuse-s3-bucket-namesquatting-and-how-to-stop-them/

Ransomware Abuses Amazon AWS Feature to Encrypt S3 Buckets

Ransomware called “Codefinger” is exploiting AWS's Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt Amazon S3 buckets, demanding ransoms for decryption keys. Victims lose access to data since AWS doesn't store encryption keys. Attackers use compromised credentials to encrypt data and threaten deletion if victims alter files. Amazon advises customers to implement strict security measures, including disabling unnecessary SSE-C, rotating keys, and minimizing account permissions.

https://www.bleepingcomputer.com/news/security/ransomware-abuses-amazon-aws-feature-to-encrypt-s3-buckets/

Scroll to Top