Vulnerability in Google Cloud Composer Exposes Privilege Escalation Risk Recent findings by cybersecurity experts have unveiled a significant vulnerability in the Google Cloud Platform (GCP), specifically within the Cloud Composer service, which orchestrates workflows based on Apache Airflow. This flaw, dubbed “ConfusedComposer,” has since been addressed and could have potentially…
Cloudflare Confirms Impact from Salesloft Drift Breach On Tuesday, Cloudflare disclosed its involvement in the Salesloft Drift breach, confirming that cybercriminals obtained 104 API tokens associated with its platform. Despite the breach, Cloudflare’s security team, led by Sourov Zaman, Craig Strubhart, and Grant Bourzikas, reported no detected suspicious activity linked…
Major Data Breach at Salesloft: Hackers Compromise Customer Tokens and Access Salesforce Data In a significant security incident, criminal hackers have successfully infiltrated Salesloft, a prominent sales automation platform, resulting in the theft of OAuth and refresh tokens linked to its AI agent, Drift, which interfaces with Salesforce. This breach…
Critical Vulnerability Discovered in Commvault Command Center The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a severe security vulnerability affecting Commvault Command Center to its Known Exploited Vulnerabilities (KEV) catalog. This move comes shortly after the flaw, identified as CVE-2025-34028, was publicly disclosed. The vulnerability has been assigned…
Researchers in cybersecurity have identified concerning default identity and access management (IAM) roles within Amazon Web Services (AWS) that could potentially allow attackers to escalate privileges, manipulate other AWS services, and even compromise accounts entirely. According to Aqua researchers Yakir Kadkoda and Ofek Itach, “These roles, typically created automatically or suggested during setup, grant excessively broad permissions, including full access to S3.” They warn that these default roles create silent attack vectors for privilege escalation and cross-service access, leading to possible account breaches. The cloud security firm pinpointed vulnerabilities in default IAM roles established by AWS services such as SageMaker, Glue, EMR, and Lightsail. A similar issue has also been detected in the widely-used open-source framework Ray, which generates a default IAM role (ray-autoscaler-v1) that includes the AmazonS3FullAccess policy.
AWS Default IAM Roles Discovered to Facilitate Lateral Movement and Cross-Service Exploitation May 20, 2025 Cybersecurity researchers have uncovered significant vulnerabilities tied to the default identity and access management (IAM) roles within Amazon Web Services (AWS). These vulnerabilities potentially allow adversaries to escalate privileges, access other AWS services, and in…
Researchers in cybersecurity have identified concerning default identity and access management (IAM) roles within Amazon Web Services (AWS) that could potentially allow attackers to escalate privileges, manipulate other AWS services, and even compromise accounts entirely. According to Aqua researchers Yakir Kadkoda and Ofek Itach, “These roles, typically created automatically or suggested during setup, grant excessively broad permissions, including full access to S3.” They warn that these default roles create silent attack vectors for privilege escalation and cross-service access, leading to possible account breaches. The cloud security firm pinpointed vulnerabilities in default IAM roles established by AWS services such as SageMaker, Glue, EMR, and Lightsail. A similar issue has also been detected in the widely-used open-source framework Ray, which generates a default IAM role (ray-autoscaler-v1) that includes the AmazonS3FullAccess policy.
A recent advisory from Google and Mandiant has uncovered a significant data breach involving Salesforce, where the threat actor UNC6395 deployed stolen OAuth tokens to bypass Multi-Factor Authentication (MFA). Organizations are urged to take steps to protect non-human identities to prevent similar breaches. According to the advisory from the Google…
Date: April 17, 2025
Category: Vulnerability / Network Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has categorized a significant security flaw affecting SonicWall Secure Mobile Access (SMA) 100 Series gateways as a Known Exploited Vulnerability (KEV) due to ongoing active exploitation. This high-severity vulnerability, identified as CVE-2021-20035 (CVSS score: 7.2), involves an operating system command injection that may allow for unauthorized code execution.
According to SonicWall’s advisory from September 2021, “improper neutralization of special elements in the SMA100 management interface permits a remote authenticated attacker to inject arbitrary commands as a ‘nobody’ user, potentially leading to code execution.”
The vulnerability impacts the following models: SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v (ESX, KVM, AWS, Azure) running specific versions—10.2.1.0-17sv and earlier (patched in 10.2.1.1-19sv and higher), 10.2.0.7-34sv and earlier (patched in 10.2.0.8-37sv and higher), and 9.0…
CISA Identifies Actively Exploited Vulnerability in SonicWall SMA Devices On April 17, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) took significant action by adding a critical security vulnerability affecting SonicWall Secure Mobile Access (SMA) 100 Series gateways to its Known Exploited Vulnerabilities (KEV) list. This classification stems from…
Date: April 17, 2025
Category: Vulnerability / Network Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has categorized a significant security flaw affecting SonicWall Secure Mobile Access (SMA) 100 Series gateways as a Known Exploited Vulnerability (KEV) due to ongoing active exploitation. This high-severity vulnerability, identified as CVE-2021-20035 (CVSS score: 7.2), involves an operating system command injection that may allow for unauthorized code execution.
According to SonicWall’s advisory from September 2021, “improper neutralization of special elements in the SMA100 management interface permits a remote authenticated attacker to inject arbitrary commands as a ‘nobody’ user, potentially leading to code execution.”
The vulnerability impacts the following models: SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v (ESX, KVM, AWS, Azure) running specific versions—10.2.1.0-17sv and earlier (patched in 10.2.1.1-19sv and higher), 10.2.0.7-34sv and earlier (patched in 10.2.0.8-37sv and higher), and 9.0…
A significant data breach involving corporate Salesforce instances has emerged, with hackers exploiting compromised OAuth tokens associated with the Salesloft Drift application. This sophisticated exfiltration campaign has led to the exposure of sensitive data from numerous organizations. The threat group, identified as UNC6395, executed their operations between August 8 and…
Published: April 25, 2025
Category: Secrets Management / DevOps
When discussing identity in cybersecurity, people typically think of usernames, passwords, and the occasional multi-factor authentication prompt. However, an escalating threat lies beneath the surface, rooted in Non-Human Identities (NHIs). While security teams often equate NHIs with Service Accounts, the reality is much broader. NHIs encompass Service Principals, Snowflake Roles, IAM Roles, and platform-specific constructs across AWS, Azure, GCP, and beyond. The variability of NHIs reflects the diversity within modern tech stacks, making effective management essential.
The true risk associated with NHIs stems from their authentication methods.
Secrets: The Currency of Machines
Non-Human Identities primarily rely on secrets—API keys, tokens, certificates, and other credentials—that provide access to systems, data, and critical infrastructure.
The Rising Threat of Non-Human Identities in Cybersecurity In today’s cybersecurity landscape, discussions surrounding identity often center on traditional human elements such as usernames, passwords, and multi-factor authentication (MFA). However, a significant and escalating risk currently lurks beneath this familiar terrain in the form of Non-Human Identities (NHIs). This burgeoning…
Published: April 25, 2025
Category: Secrets Management / DevOps
When discussing identity in cybersecurity, people typically think of usernames, passwords, and the occasional multi-factor authentication prompt. However, an escalating threat lies beneath the surface, rooted in Non-Human Identities (NHIs). While security teams often equate NHIs with Service Accounts, the reality is much broader. NHIs encompass Service Principals, Snowflake Roles, IAM Roles, and platform-specific constructs across AWS, Azure, GCP, and beyond. The variability of NHIs reflects the diversity within modern tech stacks, making effective management essential.
The true risk associated with NHIs stems from their authentication methods.
Secrets: The Currency of Machines
Non-Human Identities primarily rely on secrets—API keys, tokens, certificates, and other credentials—that provide access to systems, data, and critical infrastructure.
