Lightnews — Scholar-powered news

neuvik.bsky.social @neuvik.bsky.social · 5h

Cloud storage leaking data? Insecure by default settings (like public S3 buckets & open ports) are huge risks!

Attackers use these common entry points. Learn how to lock down:
🔵 Public Access
🔵 Over-Permissive Roles
🔵 Open Ports

Read this to secure your cloud now!👇
https://tinyurl.com/leakedcloud

neuvik.bsky.social @neuvik.bsky.social · 1d

Learning how red teams are owning the cloud.

This in-depth discussion shows how elite attackers bypass MFA, exploit identity misconfigs, and extract credentials without touching endpoints.

Watch now if you're serious about cloud security offense 👇

Attacking Cloud Systems - with Moses Frost

Alas, you’re running an operation, a pen test, and find that systems are connected to the cloud; you are in awe. Behold as we uncover the astonishing truth a...

www.youtube.com

neuvik.bsky.social @neuvik.bsky.social · 2d

The moral of the story? Cloud breaches aren't loud. They’re quiet, credentialed, and API-driven.

neuvik.bsky.social @neuvik.bsky.social · 2d

🔟 Pivoting via Azure AD Federation

Even in Okta or Google-managed orgs, Azure AD often still handles device joins or Graph access. Red Teams exploit this bridge using token replay or device joins to escalate across trust boundaries. Used in hybrid assessments to bridge environments.

1

neuvik.bsky.social @neuvik.bsky.social · 2d

9️⃣ Region-Specific Attack Planning

Cloud footprint varies by region:
🇺🇸 US startups = full cloud
🇪🇺 EU enterprises = hybrid/on-prem

Red Teams tailor initial access and post-ex strategies depending on infra maturity and identity structure.

1

neuvik.bsky.social @neuvik.bsky.social · 2d

8️⃣ Tool-Aided Enumeration with Manual Review

Tools like ScoutSuite, CloudFox, and TokenTactics are used early in engagements. These tools surface misconfigs and identity gaps. Used to build initial situational awareness.

1

neuvik.bsky.social @neuvik.bsky.social · 2d

7️⃣ Token Analysis for Recon and Priv Esc

JWTs issued by Azure or AWS contain critical claims (scp, azp, upn). Red Teams can decode tokens using jwt.ms to map what the token can access. We use this to find overly-permissive scopes and escalate privileges.

1

neuvik.bsky.social @neuvik.bsky.social · 2d

6️⃣ Microsoft Graph as a Post-Exploitation Toolkit

After access is granted, red teamers use Graph to:
🔎 Search inboxes for creds
📂 Download attachments
🗂️ List files from OneDrive
🗓️ Read calendar entries

It’s quiet, credentialed access and perfect for stealthy data exfil.

1

neuvik.bsky.social @neuvik.bsky.social · 2d

5️⃣ App Consent Phishing to Evade MFA

Rather than steal passwords, attackers trick users into authorizing a malicious Azure app.

Once approved, the app gets delegated Graph API access (including emails, files, and calendars).

Used in phishing engagements to simulate real-world cloud takeovers.

1

neuvik.bsky.social @neuvik.bsky.social · 2d

4️⃣ Identity Confusion Exploits in Apps

Red teams look for apps that rely on mutable claims (like email) instead of immutable identifiers (UPN).

We can then modify lowercase/uppercase in OAuth claims to impersonate users and gain access with no credentials.

1

neuvik.bsky.social @neuvik.bsky.social · 2d

3️⃣ Refresh Token Hijacking for Persistent Access

Attackers phish or extract refresh tokens from memory or browser storage. Once stolen, they reuse it for days or weeks, bypassing MFA.

We use this to stay embedded in your environment without raising red flags.

1

neuvik.bsky.social @neuvik.bsky.social · 2d

2️⃣ Dropping Legacy Recon, Embracing API-Based Attacks

On-prem recon uses Nmap. In cloud, we query APIs like AWS CLI or Azure Graph, enumerating services, IAM roles, storage buckets via credentialed API calls, not noisy scans.

1

neuvik.bsky.social @neuvik.bsky.social · 2d

1️⃣ Control Plane Access = Full Cloud Compromise

Red Teams target cloud consoles (e.g., AWS, Azure) to snapshot disks, bypass EDR, and dump credentials offline.

Example: Extracting VMDKs and analyzing LSASS memory with WinDbg.

We do this when endpoint defenses are too hardened for direct access.

1

neuvik.bsky.social @neuvik.bsky.social · 2d

Forget firewalls. Red Teamers target tokens, APIs, and identities.

10 techniques we use to break into cloud environments👇

1

neuvik.bsky.social @neuvik.bsky.social · 3d

The rise of "Shadow AI" is creating major blind spots for security and compliance teams.

Our AI Asset Inventory service solves this problem.

Learn more: https://neuvik.com/our-services/cyber-risk-management/

neuvik.bsky.social @neuvik.bsky.social · 4d

Cloud misconfigurations are still one of the top causes of breaches.

At Neuvik, we help you find those mistakes before they’re exploited:

Don’t wait for attackers to find the gaps. Partner with Neuvik to harden your cloud security.

Learn more: https://neuvik.com/our-services/advanced-assessments

neuvik.bsky.social @neuvik.bsky.social · 5d

Understanding control vs. data plane is foundational in cloud pentesting. It’s how offensive teams turn a single console foothold into full data compromise. Master this and you’ll see how attackers really pivot in your cloud.

neuvik.bsky.social @neuvik.bsky.social · 5d

⚠️ Real-world abuse scenario

Attackers with control plane access snapshot storage volumes, extract them offline, and dump LSASS. This sidesteps EDRs, since everything happens outside the monitored runtime.

1

neuvik.bsky.social @neuvik.bsky.social · 5d

💡 Example: VMware vs. AWS

In VMware, vCenter is the control plane, and VMs are the data plane. In AWS, the management console/API is the control plane, while EC2 or S3 make up the data plane.

1

neuvik.bsky.social @neuvik.bsky.social · 5d

↪️ Compromise the control plane to reach the data plane

If attackers reach the control plane, they can snapshot disks, spin up resources, or clone volumes. This lets them bypass endpoint defenses entirely.

1

neuvik.bsky.social @neuvik.bsky.social · 5d

💾 Data plane = execution layer

The data plane handles workloads - apps, services, and data. Attackers who manipulate it can interact directly with sensitive operations and business processes.

1

neuvik.bsky.social @neuvik.bsky.social · 5d

🎛️ Control plane = management layer

This is where attackers can launch VMs, modify storage, and open firewall rules. Access here grants control over the infrastructure itself, not just the data.

1

neuvik.bsky.social @neuvik.bsky.social · 5d

The #1 concept attackers use to own the cloud: control plane vs. data plane 🧵👇

1

neuvik.bsky.social @neuvik.bsky.social · 6d

Adopting new technologies isn’t the risk.

Failing to anticipate their misuse is.

Rethink your adoption strategy by always asking: “How would an attacker use this against us?”

neuvik.bsky.social @neuvik.bsky.social · 6d

5️⃣ Shift from tool-chasing to principle-setting

Instead of reacting to every emerging tech, define core defense principles (identity assurance, critical asset protection, encryption resilience etc) and map new tools against them.

1