cloud

Lone Attacker Uses AI to Breach AWS Cloud Environment in 72 Hours

A lone attacker leveraged AI-driven workflows to quickly exploit multiple weaknesses across an AWS cloud environment, conducting extensive reconnaissance, credential harvesting, and deployment pipeline abuse within 72 hours, leading to financial extortion of a major Amazon customer. The attacker chained together vulnerabilities in applications, cloud resources, and CI/CD pipelines to systematically steal secrets, create backdoors, and disrupt operations, demonstrating an accelerated attack tempo enabled by AI. Security experts warn organizations must enhance automated detection, response capabilities, and containment procedures to address the increased speed and scale of AI-assisted cloud attacks.

https://www.darkreading.com/cloud-security/lone-attacker-ai-breach-aws-cloud-environment

CISA Admin Leaked AWS GovCloud Keys on Github

A contractor for the Cybersecurity & Infrastructure Security Agency (CISA) publicly exposed highly privileged AWS GovCloud credentials and numerous internal system passwords on a GitHub repository named “Private-CISA,” representing one of the most severe government data leaks in recent history. The exposed files contained plaintext passwords, cloud keys, and sensitive configuration details, posing significant risks for unauthorized access and lateral movement within CISA systems. CISA is investigating the incident, stating no current evidence of data compromise, while security experts condemned the poor security practices involved, which may reflect broader internal issues.

https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/

European Commission Investigating Breach After Amazon Cloud Account Hack

The European Commission is investigating a security breach after a threat actor accessed one of its Amazon Web Services cloud accounts, reportedly stealing over 350 GB of data including multiple databases. Although AWS confirmed no security incident on their platform, the Commission’s cybersecurity team detected the attack quickly, and the threat actor has stated intentions to leak the stolen data online without extorting the Commission.

https://www.bleepingcomputer.com/news/security/european-commission-investigating-breach-after-amazon-cloud-account-hack/

After Outages, Amazon to Make Senior Engineers Sign Off on AI-assisted Changes

Amazon is experiencing a trend of outages, some linked to AI coding tools, prompting a meeting with engineers to address the issue. The company will require a senior engineer's sign-off for AI-assisted changes and focus on improving website availability. AWS also experienced incidents involving AI coding assistants, including a 13-hour interruption of a cost calculator.

https://arstechnica.com/ai/2026/03/after-outages-amazon-to-make-senior-engineers-sign-off-on-ai-assisted-changes/

CodeBreach: Supply Chain Vuln & AWS CodeBuild Misconfig

Wiz Research uncovered a critical vulnerability, named CodeBreach, in AWS CodeBuild that allowed unauthorized access to key AWS GitHub repositories, notably the JavaScript SDK for the AWS Console. This flaw, stemming from unanchored regex filters in build triggers, let attackers exploit CI/CD processes to extract sensitive credentials, potentially compromising many AWS accounts. Recommendations for safeguarding against such vulnerabilities include implementing strict build gates and securing GitHub connections. AWS promptly remediated the issue and issued additional hardening measures in response to the findings. The incident underscores the increasing targeting of CI/CD environments by attackers.

https://www.wiz.io/blog/wiz-research-codebreach-vulnerability-aws-codebuild

VoidLink: The Cloud-Native Malware Framework

Extreme TLDR: VoidLink is a modular, cloud-native Linux malware framework designed for stealth and long-term access, featuring over 30 plugins, adaptable OPSEC techniques, and developed by possibly Chinese affiliates for commercial use. It targets cloud environments, adapts behavior based on detected security measures, and includes capabilities for credential harvesting and persistence.

https://research.checkpoint.com/2026/voidlink-the-cloud-native-malware-framework/

Understanding Cloud Persistence: How Attackers Maintain Access Using Google Cloud Functions

Extreme TLDR: Attackers use Google Cloud Functions and service accounts to maintain access in cloud environments. They automate recovery of deleted accounts through logging and Pub/Sub events, leveraging these features for persistent access despite clean-up efforts.

https://whiteknightlabs.com/2025/11/11/understanding-cloud-persistence-how-attackers-maintain-access-using-google-cloud-functions/

Cloudflare Outage on November 18, 2025

On November 18, 2025, Cloudflare experienced a significant outage affecting core network traffic after a database permission change caused a feature file to double in size, leading to system failures. Initial suspicions of a DDoS attack were disproved as the issue was traced to bad configurations propagated throughout the network. The outage, which resulted in numerous HTTP 5xx error codes and impacted various services, was resolved by reverting to a stable configuration and restarting core proxies. Cloudflare acknowledged the unacceptable nature of the incident and committed to implementing measures to prevent future occurrences.

https://blog.cloudflare.com/18-november-2025-outage/

Scroll to Top