Latest news with #TenableResearch
Techday NZ
19-06-2025
- Techday NZ
Poor cloud security leaves secrets & data at risk, report finds
A new report from Tenable Research has detailed the ongoing risks facing organisations due to poor cloud security practices and widespread misconfigurations. The 2025 Cloud Security Risk Report analyses data from global cloud systems spanning October 2024 to March 2025. It highlights significant vulnerabilities related to data exposure, identity management, cloud workloads, and the use of artificial intelligence resources. The findings indicate that sensitive information and credentials remain at risk due to inconsistent security implementations across major public cloud providers. Exposure of sensitive data According to Tenable Research, 9% of publicly accessible cloud storage contains sensitive data, and 97% of this content is classified as restricted or confidential. These circumstances increase the risk of exploitation, particularly when misconfigurations or embedded secrets are also present. The report notes that cloud environments are subject to significantly heightened risk from exposed data, misconfigured access, and the insecure storage of secrets such as passwords, API keys, and other credentials. These issues are compounded by underlying vulnerabilities and inconsistent security practices across organisations using public cloud providers like Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. Secrets and workload security The assessment documented that over half of organisations (54%) store at least one secret directly within AWS Elastic Container Service (ECS) task definitions, creating a direct attack path for threat actors. On GCP Cloud Run, similar patterns were observed, with 52% of organisations found to be storing secrets within resources, and 31% on Microsoft Azure Logic Apps workflows. Furthermore, 3.5% of all AWS Elastic Compute Cloud (EC2) instances were identified as containing secrets within user data. AWS EC2's broad adoption means this level of exposure represents a substantial risk across the industry. The report points to some improvement in cloud workload security: the prevalence of the so-called "toxic cloud trilogy"-a situation in which a workload is publicly exposed, critically vulnerable, and endowed with high privilege-has decreased from 38% to 29%. However, Tenable researchers note that this combination continues to represent a significant risk for businesses. Issues in identity and access management One significant finding relates to the use of Identity Providers (IdPs). The research indicates that 83% of AWS organisations employ IdP services to manage cloud identities, which is regarded as best practice. Despite this, risks persist due to permissive default settings, excessive entitlements, and lingering standing permissions that give rise to identity-based threats. "Despite the security incidents we have witnessed over the past few years, organizations continue to leave critical cloud assets, from sensitive data to secrets, exposed through avoidable misconfigurations," said Ari Eitan, Director of Cloud Security Research, Tenable. The report suggests that attackers are often able to find entry points with relative ease, exploiting public access, extracting embedded secrets, or misusing over-privileged identities. Recommendations and risk management "The path for attackers is often simple: exploit public access, steal embedded secrets or abuse overprivileged identities. To close these gaps, security teams need full visibility across their environments and the ability to prioritize and automate remediation before threats escalate. The cloud demands continuous, proactive risk management, and not reactive patchwork," added Eitan. Tenable's analysis is based on telemetry collected from a diverse array of public cloud and enterprise environments and provides detailed insight into the cloud security challenges currently faced by businesses. The report offers practical recommendations to help security professionals reduce risks, mitigate vulnerabilities, and address gaps before they can be exploited. The findings underline the necessity for organisations to adopt unified cloud exposure management, increase visibility across their cloud assets, and take a systematic approach to automation and remediation of security risks, particularly as cloud adoption and reliance on AI-driven resources continue to rise.
Forbes
11-06-2025
- Forbes
Microsoft Issues Windows 10 And 11 Update As Attacks Already Underway
Microsoft issues security update as Windows attacks begin. Users of the Windows operating system, be that Windows 10, Windows 11 or any of the Windows Server variants, are used to reading Microsoft cyberattack warnings. Some warnings, however, are more critical than others. Whenever a Windows zero-day exploit is involved, then you really need to start paying close attention. These are the vulnerabilities that have not only been found by threat actors, but also exploited and are under attack already by the time that the vendor, in this case Microsoft, becomes aware of them. Microsoft, and by extension you, are then playing catch-up to get protected against the cyberattacks in question. Here's what you need to know about CVE-2025-33053 and what you need to do right now. Don't wait, update Windows right now. The June 10 Patch Tuesday security rollout has brought with it a few unwelcome surprises, as is often the case. None more so than CVE-2025-33053, which is not only a zero-day, in that it is already known to have been exploited by threat actors, but is also being leveraged widely by cyberattacks, and that's very worrying indeed for all Windows users. A Microsoft executive summary describes the threat from CVE-2025-33053 as 'external control of file name or path in WebDAV allows an unauthorized attacker to execute code over a network.' Or, in other words, a remote code execution vulnerability that can do some very bad things indeed. Tenable Research Special Operations has analyzed the threat, and Satnam Narang, the senior staff research engineer at Tenable, said that it has been confirmed in a Check Point Research report, a known threat group, Stealth Falcon, has 'launched a social engineering campaign to convince targets to open a malicious .url file, which would then exploit this vulnerability, giving them the ability to execute code.' That's problematical, as Narang explained, 'it is rare to hear of a zero-day reported during Patch Tuesday as being leveraged widely. We typically expect these types of zero-days to be used sparingly, with an intention to remain undetected for as long as possible.' All the more reason to get your systems updated as soon as possible. The attackers are not waiting, and neither should you. 'The advisory also has attack complexity as low,' Adam Barnett, lead software engineer at Rapid7, said, 'which means that exploitation does not require preparation of the target environment in any way that is beyond the attacker's control.' Indeed, exploitation just requires a user to click on a malicious link, oh what a surprise. 'It's not clear how an asset would be immediately vulnerable if the service isn't running,' Barnett concluded, adding 'but all versions of Windows receive a patch.' You know what to do, go and do it know.
Techday NZ
23-04-2025
- Techday NZ
Tenable reveals privilege risk in Google Cloud Composer flaw
Tenable Research has disclosed details of a privilege escalation vulnerability in Google Cloud Composer that could have enabled attackers to gain unauthorised access to critical cloud resources. The vulnerability, referred to as ConfusedComposer, was found to affect Google Cloud Composer environments by allowing users with limited permissions to exploit the integration between Composer and Google Cloud Build, Google's continuous integration and delivery service. Tenable reported that attackers possessing edit permissions in Cloud Composer could take advantage of Composer's use of the default Cloud Build service account, which is configured with broad privileges across Google Cloud Platform (GCP) services. By injecting a malicious Python package during the installation process, attackers could escalate their privileges and assume the identity of the Cloud Build service account. Once in control of this service account, a threat actor would have access to several critical GCP resources, including Cloud Build, Cloud Storage, and Artifact Registry. This access could be used to steal data, inject malicious code into software build pipelines, establish persistence through hidden backdoors, or escalate privileges further to potentially take full control of a GCP project. ConfusedComposer is described as a variant of a previously discovered vulnerability known as ConfusedFunction, illustrating how the interconnected nature of cloud services can contribute to the development of new exploitation methods based on existing weaknesses. Tenable used the term "Jenga Concept" to describe this phenomenon, where security weaknesses in one cloud service layer can cascade into others because of intertwined dependencies. "When you play the Jenga game, removing one block can make the whole tower unstable," said Liv Matan, Senior Security Researcher at Tenable. "Cloud services work the same way. If one layer has risky default settings, then that risk can spread to others, making security breaches more likely to happen." The vulnerability has been addressed by Google, and no further action is required from users to mitigate the issue in existing environments. However, Tenable's findings highlight a broader concern for organisations relying on cloud service ecosystems comprised of stacked and interdependent services. Tenable outlined specific impacts that could result from exploitation of ConfusedComposer. Potential consequences include theft of sensitive data, compromise of CI/CD pipelines, establishment of persistent unauthorised access methods, and total takeover of affected Google Cloud projects. In terms of security best practices, Tenable recommended that organisations enforce the principle of least privilege to minimise unnecessary permission inheritance, map hidden service dependencies using tools such as Jenganizer, and conduct regular log reviews to identify suspicious access attempts. "The discovery of ConfusedComposer highlights the need for security teams to uncover hidden cloud interactions and enforce strict privilege controls. As cloud environments become more complex, it's crucial to identify and address risks before attackers take advantage of them," added Matan. The disclosure of ConfusedComposer draws attention to the increasing complexity and interconnectivity in cloud platform security, suggesting that teams must proactively assess potential privilege escalation paths and inherited risks in their cloud architectures.
Tahawul Tech
24-03-2025
- Business
- Tahawul Tech
Tenable research reveals popular AI tools used in cloud environments are highly vulnerable
Tenable®, the exposure management company, recently announced the release of its Cloud AI Risk Report 2025, which found that cloud-based AI is prone to avoidable toxic combinations that leave sensitive AI data and models vulnerable to manipulation, data tampering and data leakage. Cloud and AI are undeniable game changers for businesses. However, both introduce complex cyber risks when combined. The Tenable Cloud AI Risk Report 2025 highlights the current state of security risks in cloud AI development tools and frameworks, and in AI services offered by the three major cloud providers—Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure. The key findings from the report include: Cloud AI workloads aren't immune to vulnerabilities: Approximately 70% of cloud AI workloads contain at least one unremediated vulnerability. In particular, Tenable Research found CVE-2023-38545—a critical curl vulnerability—in 30% of cloud AI workloads. Approximately 70% of cloud AI workloads contain at least one unremediated vulnerability. In particular, Tenable Research found CVE-2023-38545—a critical curl vulnerability—in 30% of cloud AI workloads. Jenga®-style 1 cloud misconfigurations exist in managed AI services: 77% of organizations have the overprivileged default Compute Engine service account configured in Google Vertex AI Notebooks. This means all services built on this default Compute Engine are at risk. 77% of organizations have the overprivileged default Compute Engine service account configured in Google Vertex AI Notebooks. This means all services built on this default Compute Engine are at risk. AI training data is susceptible to data poisoning, threatening to skew model results: 14% of organisations using Amazon Bedrock do not explicitly block public access to at least one AI training bucket and 5% have at least one overly permissive bucket. 14% of organisations using Amazon Bedrock do not explicitly block public access to at least one AI training bucket and 5% have at least one overly permissive bucket. Amazon SageMaker notebook instances grant root access by default: As a result, 91% of Amazon SageMaker users have at least one notebook that, if compromised, could grant unauthorized access, which could result in the potential modification of all files on it. 'When we talk about AI usage in the cloud, more than sensitive data is on the line. If a threat actor manipulates the data or AI model, there can be catastrophic long-term consequences, such as compromised data integrity, compromised security of critical systems and degradation of customer trust', said Liat Hayun, VP of Research and Product Management, Cloud Security, Tenable. 'Cloud security measures must evolve to meet the new challenges of AI and find the delicate balance between protecting against complex attacks on AI data and enabling organisations to achieve responsible AI innovation'. 1 The Jenga®-style concept, coined by Tenable, identifies the tendency of cloud providers to build one service on top of the other, with 'behind the scenes' building blocks inheriting risky defaults from one layer to the next. Such cloud misconfigurations, especially in AI environments, can have severe risk implications if exploited. Image Credit Tenable
