Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks of cloud security highlights!
Hype or no hype – Authentication Bypass Vulnerability in PAN-OS Exploited in-the-Wild
Attackers are actively exploiting CVE-2025-0108, a high-severity authentication bypass vulnerability in Palo Alto Networks PAN-OS firewalls. The flaw allows unauthenticated attackers with network access to invoke PHP scripts and potentially compromise firewall integrity and confidentiality. Researchers at Assetnote disclosed exploitation details, and active attacks have been observed since February 13, 2025.
At first, the value of this vulnerability for attackers was slightly unclear, since it “only” allowed authentication bypass. However, Palo Alto confirmed that attackers are chaining CVE-2025-0108 with other vulnerabilities affecting older versions to enhance their attacks. One of these is CVE-2024-9474, an OS command injection flaw that enables privilege escalation, allowing attackers to execute actions on the PAN all with root privileges. Another is CVE-2025-0111, an authenticated file read vulnerability that lets attackers access files on the PAN-OS filesystem that are readable by the “nobody” user.
According to Wiz data, 22% of cloud environments have resources vulnerable to CVE-2025-0108, and 18% have resources vulnerable to CVE-2025-0108 and at least one additional vulnerability used in these attacks.
Learn more here.
🐞 High Profile Vulnerabilities
ThinkPHP and OwnCloud Vulnerabilities Exploited in-the-Wild
Researchers observed a surge in exploitation attempts targeting two vulnerabilities: CVE-2022-47945 (ThinkPHP LFI), a local file inclusion flaw in ThinkPHP that allows attackers to access arbitrary files when language packs are enabled, and CVE-2023-49103 (ownCloud GraphAPI Information Disclosure), which exposes sensitive data in vulnerable ownCloud versions. Security teams should patch affected systems and restrict exposure to minimize the attack surface.
According to Wiz data, less than 1% of cloud environments have resources vulnerable to either of these vulnerabilities.
Learn more here.
AMI Lookup Misconfiguration Allows Name Confusion Attack
In August 2024, researchers discovered a widespread misconfiguration in how software projects retrieve Amazon Machine Images (AMIs) for creating EC2 instances. The vulnerability, dubbed whoAMI, allows attackers to publish a malicious AMI with a specially crafted name and gain remote code execution (RCE) within the victim’s misconfigured AWS environment. According to the researchers, if executed at scale, this attack could compromise thousands of AWS accounts. The flaw stems from failing to specify trusted AMI owners when querying for AMIs, leading to potential exploitation. AWS addressed the issue by introducing Allowed AMIs, an optional security feature that lets users restrict AMI sources to trusted accounts.
Learn more here.
🔒 Security Incidents & Campaigns
Seashell Blizzard's Campaign Exploiting Vulnerabilities for Data Exfiltration
Microsoft Threat Intelligence has uncovered a long-running campaign by a subgroup of the Russian state-sponsored actor Seashell Blizzard, tracked as the BadPilot campaign. Active since at least 2021, this campaign has targeted a broad range of sectors globally, including energy, oil and gas, telecommunications, arms manufacturing, and government agencies. The subgroup uses opportunistic access techniques to compromise internet-facing infrastructure, collect credentials, and achieve long-term persistence. Initially focused on Ukraine and Europe, the campaign expanded in 2024 to the United States, United Kingdom, Canada, and Australia, exploiting vulnerabilities in remote monitoring and security software such as ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet FortiClient EMS (CVE-2023-48788).
Learn more here.
Black Basta Exploiting Vulnerabilities in Multiple Products
A major leak of Black Basta’s internal chat logs on February 11, 2025, has exposed significant internal conflicts, leadership instability, and financial fraud within the ransomware group. The leak, allegedly triggered by their attacks on Russian banks, has led to a decline in their operations, mirroring past incidents like the Conti leaks. Key members defected to rival groups like Cactus Ransomware, further weakening Black Basta. The chat logs also provide insights into tactics, techniques, and procedures (TTPs) used by the group, including ransomware deployment, phishing campaigns, and VPN exploitation, as well as CVEs the group has exploited. Additionally, they expose the gang’s ransom negotiation strategies, infrastructure, and financial operations, including cryptocurrency wallets used for payments.
The leaks also reveal Indicators of Compromise (IoCs) such as IP addresses, domains, hashes, and malicious files, which can help organizations detect and defend against Black Basta’s activities.
Learn more here.
Malicious AI Models Bypass Picklescan Detection
Researchers discovered a new attack technique called "nullifAI", which exploits Pickle file serialization to distribute malware-laced ML models on Hugging Face. By leveraging the insecure nature of Python’s Pickle module, and using an unconventional data compression method, attackers embedded a reverse shell payload within PyTorch model files, bypassing Hugging Face’s Picklescan security tool.
Learn more here.
Code Injection Attacks Exploiting Publicly Disclosed ASP.NET Keys
Microsoft Threat Intelligence identified a threat actor exploiting publicly disclosed ASP.NET machine keys to perform ViewState code injection attacks. This technique enables attackers to inject malicious code into web applications, leading to remote code execution on IIS servers. In December 2024, an attacker used this method to deploy the Godzilla post-exploitation framework, taking advantage of a machine key found in publicly available repositories.
Learn more here.
🎧 Hold on to your headphones!
Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen
Listen on
Spotify and Apple Podcasts.