Attacker Stealth Tactics in Azure and Ransomware still Threatening Organizations

This week we uncover Azure security blindspots in our latest newsletter featuring experts Christian Philipov (WithSecure) and Katie Knowles (Datadog). Learn how attackers exploit Azure's limited read-event logging for stealthy reconnaissance, plus practical defenses using conditional access policies and Resource Graph Explorer. Also covers breaking news on Microsoft's ransomware-related zero-day patch, pension fund breaches, and critical SAP vulnerabilities. Essential insights for cloud security professionals defending Azure environments.

Hello from the Cloud-verse!

Attacker Stealth Tactics in Azure

Incase, this is your 1st Cloud Security Newsletter! You are in good company!
You are reading this issue along with your friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter, who like you want to learn whatโ€™s new with Cloud Security each week from their industry peers like many others who listen to Cloud Security Podcast & AI CyberSecurity Podcast every week.

Welcome to this week's edition of the Cloud Security Newsletter!

We're diving deep into the evolving landscape of cloud security threats and defensive strategies. This edition features insights from Christian Philipov of WithSecure, who discusses stealthy techniques attackers use to remain undetected in Azure environments, and Katie Knowles from Datadog, who shares her expertise on incident response in Azure. Together, they offer invaluable perspectives on the growing sophistication of cloud-native threats and practical approaches to security in Microsoft's cloud ecosystem.

THIS WEEK'S SECURITY NEWS

๐Ÿšจ Oracle Discloses Second Recent Security Breach

Oracle has informed customers of a second data breach in which an attacker compromised a legacy environment and stole old client login credentials. This comes shortly after Oracle had disclosed a previous unrelated breach to healthcare customers. According to the report, the attacker attempted to extort payments from the company. The FBI and CrowdStrike are investigating the incidents. This pattern of multiple breaches highlights the importance of securing legacy environments even when they've been decommissioned - a lesson applicable to migrated cloud workloads as well. More Information here

Why it matters: A large subset of Enterprise are Oracle customers either for their database or cloud. This data breach of stolen client login could have impacts the trust the Oracle Cloud customers have on Oracle and the data hosted by them. Oracle's experience highlights the critical importance of securing decommissioned environments and legacy credentials a key consideration during cloud migrations. Cloud security teams should implement credential rotation, access reviews, and comprehensive offboarding procedures for legacy systems to prevent similar compromises.

๐Ÿ” Microsoft Patches Critical CLFS Zero-Day Actively Exploited in Ransomware Attacks

Microsoft has released security updates addressing CVE-2025-29824, a zero-day vulnerability in the Windows Common Log File System (CLFS) kernel driver that allows elevation of privilege. According to Microsoft Threat Intelligence, this vulnerability has been exploited by a group tracked as Storm-2460 to deploy ransomware using PipeMagic malware. The vulnerability affected several sectors including IT and real estate in the US, financial institutions in Venezuela, Spanish software companies, and retail in Saudi Arabia. Organizations should prioritize applying these security updates, especially since Windows 11 version 24H2 is not affected by the exploit technique being used in the wild. More Information here

Why it matters: This vulnerability demonstrates how ransomware groups prioritize privilege escalation vulnerabilities to convert initial access into widespread deployment capabilities. Organizations running Windows environments alongside cloud workloads should patch immediately, as hybrid cloud architectures could allow lateral movement from compromised on-premises systems to cloud resources.

๐Ÿ’ฅ Massive Coordinated Attack Targets Australia's Largest Pension Funds

Multiple major Australian pension funds, including AustralianSuper, Australian Retirement Trust, Rest, Insignia, and Hostplus, were hit by coordinated cyberattacks that compromised more than 20,000 accounts. According to reports, hackers stole approximately A$500,000 from four AustralianSuper members by draining their balances. This attack demonstrates how financially motivated threat actors are increasingly targeting high-value financial institutions with coordinated campaigns, highlighting the importance of authentication security controls to protect high-value financial systems in the cloud. More Information here

Why it matters: This attack reveals how financially motivated threat actors are increasingly targeting identity systems of financial institutions with sophisticated, coordinated campaigns. Cloud security professionals should review identity protection measures, MFA implementations, and anomalous login detection capabilities as similar techniques could target cloud-hosted financial systems.

SAP Patches Critical Code Injection Vulnerabilities

SAP released 20 security notes in their April 2025 patch cycle, addressing three critical-severity vulnerabilities. Two of the flaws (CVE-2025-27429 and CVE-2025-31330) are code injection vulnerabilities in S/4HANA Private Cloud and Landscape Transformation, while the third (CVE-2025-30016) is an authentication bypass issue in Financial Consolidation. Enterprise software security firm Onapsis notes that the first two CVEs refer to the same security defect. Organizations using these SAP products should apply patches immediately to prevent potential exploitation. More information here

Why it matters: Similar to Oracle mentioned above a large subset of Enterprise are SAP customers either for their Enterprise Resource Planning (ERP). This vulnerability was in their private cloud which is likely present in enterprise with SAP who need to patch their SAP. These vulnerabilities affect enterprise systems often connected to cloud resources through integrations. Cloud security professionals should coordinate with SAP administrators to ensure patches are applied quickly, as attackers could leverage these vulnerabilities to pivot from compromised on-premises SAP instances to connected cloud environments.

CLOUD SECURITY TOPIC OF THE WEEK

Azure Security Blindspots: When "Read" Events Fly Under the Radar

As organizations deploy Kubernetes across multiple cloud providers, they face unique challenges in implementing consistent network security controls. Our experts share their experiences with using Cilium to create a unified networking layer across AWS, GCP, and Azure.

  • Christian Philipov: Principal Security Consultant at WithSecure

  • Katie Knowles: Security Researcher at Datadog

Definitions and Core Concepts ๐Ÿ“š

Before diving into the analysis, let's clarify some key terms referenced throughout the discussion:

  • Entra ID: Microsoft's new terminology for Azure Active Directory (Azure AD), the cloud-based identity and access management service

  • Read Events: API calls that retrieve information without making changes (e.g., listing users, groups, resources)

  • State-Changing Events: API calls that modify configurations or data (e.g., adding permissions, creating resources)

  • Ibiza API: An underlying API that powers the Azure portal web interface

  • PIM API: Privileged Identity Management API for just-in-time and time-bound privileged access

  • Microsoft Graph: The modern API that underpins identity and access management in Azure

  • Azure AD Graph: The older API being deprecated, lacks some telemetry capabilities of Microsoft Graph

๐Ÿง  Our Insights from These Practitioners

1- The Challenge of Detecting Stealthy Attackers in Azure

Christian Philipov highlights a fundamental security gap in Azure's telemetry: the platform's limited ability to log read-only events. Unlike AWS CloudTrail, which records both read and write actions, Azure historically has struggled with capturing reconnaissance activities:

"In Azure, specifically, the stealthy part comes from a bit of a limitation that has existed within the platform and Entra, which is with specifically to read events. Okay, so like enumeration activities, reconnaissance, that sort of thing... these have been challenging because typically there wasn't really a good way to log these sorts of events like fundamentally don't exist in the telemetry that gets produced by Azure slash Entra." - Christian Philipov

This creates a concerning blindspot: attackers can extensively map your environment by enumerating users, groups, and resources without generating security alerts. By the time a state-changing event occurs and triggers detection, the attacker may already have comprehensive knowledge of your environment and clear attack paths.

Katie Knowles reinforces this concern when discussing incident response:

"If you're trying to design more secure infrastructure, or if you're investigating compromises, you'll probably see a lot of, hey, something's been, hit with suspicious traffic. Microsoft might email you and say we're going to turn this off. If you don't stop your nonsense." - Katie Knowles

2- Understanding Azure's Complex Identity Landscape

Both experts emphasize how Azure's identity architecture is particularly complex, with multiple identity types that each present different security challenges:

  1. User Identities: Traditional user accounts

  2. Service Principals: Similar to service accounts in on-premises environments

  3. Application Registrations: Often paired with service principals to enable third-party integrations

  4. Managed Identities: A type of service principal that's automatically managed by Azure

Katie explains the often confusing relationship between these identities:

"Microsoft will try to obfuscate the complexity of these different identities. So they'll say, oh, it's a managed identity. It's different than an application... it's still a service principle, and that's tied to an application registration. But if I search that, it's not in my tenant." - Katie Knowles

This obfuscation can make it challenging for security teams to maintain visibility and properly secure their environment. Attackers, meanwhile, can leverage this complexity to establish persistence.

3- Top Stealthy Attack Vectors in Azure

Christian identified several under-logged APIs that attackers exploit to remain undetected:

  1. Azure AD Graph: The older API being phased out, but still active until mid-2025

  2. Ibiza API: The backend API used by the Azure portal

  3. PIM API: Used for privileged identity management

"These are just disparate APIs and the notion is that a lot of them don't necessarily log that sort of read enumeration because they don't use Microsoft Graph under the hood. And they are their own thing." - Christian Philipov

He also notes that Microsoft is working to address these gaps, with Azure AD Graph set to be deprecated this year, which should close one common stealth channel.

4- Key Detection Strategies for Azure Environments

Despite the challenges with read events, both experts suggest several effective detection strategies:

  1. Focus on State-Changing Events: While read events may be difficult to capture, state-changing actions like adding MFA factors, modifying service principals, or changing resource configurations are logged and should be closely monitored.

  2. User Sign-In Analysis: Katie recommends leveraging Azure's behavioral analytics for authentication activities:
    "A lot of the, like a common example is obviously if you log in primarily from, let's say London, 'cause you're based in London, etc., and then at some point you log in to randomly from an IP that's based in Finland. Yeah. Or even like just some other part of, just some part of the UK, it can then figure out, oh, this is a bit suspicious." - Christian Philipov

  3. Leverage Resource Graph Queries: Katie recommends using Azure Resource Graph Explorer:
    "I love that panel so much. So everything you have reader over in an Azure environment, you can query using that... There's a lot of guides on how to query it. I've got some example queries in the repository that I put up for Advent of Cloud." - Katie Knowles

  4. Deploy Microsoft Defender for Cloud: Despite its limitations, both experts acknowledge its value when integrated with other Microsoft security solutions.

5- Practical Steps for Better Azure Security

Both experts offer practical recommendations for improving your Azure security posture:

  1. Implement Strong Conditional Access Policies: Christian emphasized this as a critical control:
    "The stronger conditional access policies...very much is a big control regardless of whether it is stealthy or not, because if there are strong controls to prevent you from logging into a user's account in a kind of an insecure manner, [...] it does make it significantly harder." - Christian Philipov

  2. Configure Diagnostic Settings: Katie stresses the importance of comprehensive logging:
    "I'd start making sure that you've got the access and the logs that you need and that'll take you down some rabbit holes, honestly." - Katie Knowles

  3. Understand Microsoft Graph and Resource Graph: Katie recommends becoming familiar with the Resource Graph Explorer, which allows you to query all resources you have reader access to using KQL (Kusto Query Language).

  4. Start With Azure Fundamentals: For those newer to Azure security, Katie suggests a gradual learning approach:
    "A great baseline for that is AZ 104. It's the Azure Associate, Azure Administrator Associate. They have free labs online that Microsoft will let you spin up. You just click a button. It makes the lab. You do the thing it's telling you to do. You learn quite a lot by clicking through it." - Katie Knowles

6- Emerging Threats: LLM-Jacking in Azure

Katie highlighted an emerging threat with AI models in Azure - "LLM-jacking" - where attackers steal compute power:

"If they have the token. So like your authentication token for a model and access to that API model, the URL that it's living at which will be where it was deployed to when you created the resource, how you interact with it, then they can - an attacker can basically slap this into a large infrastructure they have that creates a back end pool of AI resources that they can send queries to." - Katie Knowles

This new threat vector demonstrates how attackers are constantly finding novel ways to abuse cloud resources, requiring security teams to stay vigilant as cloud platforms expand into AI/ML services.

Question for you? (Reply to this email)

โ

Were you aware of this Azure BlindSpot before today for Read Actions in Azure Portal?

Next week, we'll explore another critical aspect of cloud security. Stay tuned!

We would love to hear from you๐Ÿ“ข for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community๐Ÿ’™

Peace!

Was this forwarded to you? You can Sign up here, to join our growing readership.

Want to sponsor the next newsletter edition! Lets make it happen

Have you joined our FREE Monthly Cloud Security Bootcamp yet?

checkout our sister podcast AI Cybersecurity Podcast