3 posts tagged with "cloud-security"

Your software supply chain is already inside your network perimeter. Every time a developer pushes a commit, your CI/CD pipeline authenticates to your cloud provider, pulls secrets from your vault, builds and signs artifacts, and pushes code directly to production all without a human approving a single step. Attackers figured this out in 2020 with SolarWinds, refined it through the Codecov breach in 2021, operationalized it at scale with the 3CX and XZ Utils compromises in 2023–2024, and in August 2025, UNC6395 used it to compromise Drift's GitHub account, steal OAuth tokens, and gain access to hundreds of organizations' Salesforce environments without ever touching a single victim's network directly. The attack surface is not a misconfiguration you can patch. It is the pipeline itself.

Every cloud breach investigation that starts with an exposed credential or an open S3 bucket ends the same way: someone finds a .tf file, or a terraform.tfstate in an S3 bucket, or a CI pipeline that ran terraform apply with admin keys baked into an environment variable. Terraform is not inherently insecure but the patterns that make it fast to use are precisely the patterns that create the largest attack surface. Hardcoded secrets survive in Git history after deletion. State files store every resource attribute in plaintext, including passwords, private keys, and connection strings, regardless of whether you marked them sensitive. Security groups drift from 0.0.0.0/0 during a 2 AM incident and never get corrected. IAM policies accumulate wildcards because the initial prototype was never tightened. These are not hypothetical risks they are the literal findings in every major cloud IR engagement of the past five years.

Your user just completed MFA. They entered their authenticator code correctly. Microsoft accepted it. Your Conditional Access policy evaluated and passed. And the attacker sitting at a server in a different country just received a valid OAuth access token with 60-90 minutes of life, a refresh token valid for 90 days, and a path to your entire Microsoft 365 environment. No phishing page. No fake login form. No credential harvested. MFA was the mechanism the attacker used to authenticate on the victim's behalf. This is not a future threat. It has been actively exploited since at least mid-2024, and campaigns surged dramatically in late 2025.