Microsoft Azure | Breaking Cybersecurity News | The Hacker News

If you invite guest users into your Entra ID tenant, you may be opening yourself up to a surprising risk.  A gap in access control in Microsoft Entra's subscription handling is allowing guest users to create and transfer subscriptions into the tenant they are invited into, while maintaining full ownership of them.  All the guest user needs are the permissions to create subscriptions in their home tenant, and an invitation as a guest user into an external tenant. Once inside, the guest user can create subscriptions in their home tenant, transfer them into the external tenant, and retain full ownership rights. This stealthy privilege escalation tactic allows a guest user to gain a privileged foothold in an environment where they should only have limited access. Many organizations treat guest accounts as low-risk based on their temporary, limited access, but this behavior, which works as designed, opens the door to known attack paths and lateral movement within the resource t...

Cybersecurity researchers have flagged several popular Google Chrome extensions that have been found to transmit data in HTTP and hard-code secrets in their code, exposing users to privacy and security risks. "Several widely used extensions [...] unintentionally transmit sensitive data over simple HTTP," Yuanjing Guo, a security researcher in the Symantec's Security Technology and Response team, said . "By doing so, they expose browsing domains, machine IDs, operating system details, usage analytics, and even uninstall information, in plaintext." The fact that the network traffic is unencrypted also means that they are susceptible to adversary-in-the-middle (AitM) attacks, allowing malicious actors on the same network such as a public Wi-Fi to intercept and, even worse, modify this data, which could lead to far more serious consequences. The list of identified extensions are below - SEMRush Rank (extension ID: idbhoeaiokcojcgappfigpifhpkjgmab) and P...

Cisco has released security patches to address a critical security flaw impacting the Identity Services Engine (ISE) that, if successfully exploited, could allow unauthenticated actors to carry out malicious actions on susceptible systems. The security defect, tracked as CVE-2025-20286 , carries a CVSS score of 9.9 out of 10.0. It has been described as a static credential vulnerability. "A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems," the company said in an advisory. The networking equipment maker, which credited Kentaro Kawane of GMO Cybersecurity for reporting the flaw, noted it's aware of the existence of a proof-of-concept (PoC) exploit. There is no evidence th...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday revealed that Commvault is monitoring cyber threat activity targeting applications hosted in their Microsoft Azure cloud environment. "Threat actors may have accessed client secrets for Commvault's (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure," the agency said . "This provided the threat actors with unauthorized access to Commvault's customers' M365 environments that have application secrets stored by Commvault." CISA further noted that the activity may be part of a broader campaign targeting various software-as-a-service (SaaS) providers' cloud infrastructures with default configurations and elevated permissions. The advisory comes weeks after Commvault revealed that Microsoft notified the company in February 2025 of unauthorized activity by a nation-state threat actor within its Azure environment. The incident led to th...

A threat actor known as Hazy Hawk has been observed hijacking abandoned cloud resources of high-profile organizations, including Amazon S3 buckets and Microsoft Azure endpoints, by leveraging misconfigurations in the Domain Name System (DNS) records. The hijacked domains are then used to host URLs that direct users to scams and malware via traffic distribution systems (TDSes), according to Infoblox. Some of the other resources usurped by the threat actor include those hosted on Akamai, Bunny CDN, Cloudflare CDN, GitHub, and Netlify. The DNS threat intelligence firm said it first discovered the threat actor after it gained control of several sub-domains associated with the U.S. Center for Disease Control (CDC) in February 2025. It has since been determined that other government agencies across the globe, prominent universities, and international corporations such as Deloitte, PricewaterhouseCoopers, and Ernst & Young have been victimized by the same threat actor since at least ...

Enterprise data backup platform Commvault has revealed that an unknown nation-state threat actor breached its Microsoft Azure environment by exploiting CVE-2025-3928 but emphasized there is no evidence of unauthorized data access. "This activity has affected a small number of customers we have in common with Microsoft, and we are working with those customers to provide assistance," the company said in an update. "Importantly, there has been no unauthorized access to customer backup data that Commvault stores and protects, and no material impact on our business operations or our ability to deliver products and services." In an advisory issued on March 7, 2025, Commvault said it was notified by Microsoft on February 20 about unauthorized activity within its Azure environment and that the threat actor exploited CVE-2025-3928 as a zero-day. It also said it rotated affected credentials and enhanced security measures. The disclosure comes as the U.S. Cybersecurity ...

Cybersecurity researchers have detailed a now-patched vulnerability in Google Cloud Platform (GCP) that could have enabled an attacker to elevate their privileges in the Cloud Composer workflow orchestration service that's based on Apache Airflow. "This vulnerability lets attackers with edit permissions in Cloud Composer to escalate their access to the default Cloud Build service account, which has high-level permissions across GCP services like Cloud Build itself, Cloud Storage, and Artifact Registry," Liv Matan, senior security researcher at Tenable, said in a report shared with The Hacker News. The shortcoming has been codenamed ConfusedComposer by the cybersecurity company, describing it as a variant of ConfusedFunction , a privilege escalation vulnerability impacting GCP's Cloud Functions service that an attacker could exploit to access other services and sensitive data in an unauthorized manner. The disclosure comes weeks after Tenable detailed another pr...

Cybersecurity researchers have disclosed a new phishing campaign that has targeted European companies with an aim to harvest account credentials and take control of the victims' Microsoft Azure cloud infrastructure. The campaign has been codenamed HubPhish by Palo Alto Networks Unit 42 owing to the abuse of HubSpot tools in the attack chain. Targets include at least 20,000 automotive, chemical, and industrial compound manufacturing users in Europe. "The campaign's phishing attempts peaked in June 2024, with fake forms created using the HubSpot Free Form Builder service," security researchers Shachar Roitman, Ohad Benyamin Maimon, and William Gamazo said in a report shared with The Hacker News. The attacks involve sending phishing emails with Docusign-themed lures that urge recipients to view a document, which then redirects users to malicious HubSpot Free Form Builder links , from where they are led to a fake Office 365 Outlook Web App login page in order to ste...

A suspected China-nexus cyber espionage group has been attributed to an attacks targeting large business-to-business IT service providers in Southern Europe as part of a campaign codenamed Operation Digital Eye . The intrusions took place from late June to mid-July 2024, cybersecurity companies SentinelOne SentinelLabs and Tinexta Cyber said in a joint report shared with The Hacker News, adding the activities were detected and neutralized before they could progress to the data exfiltration phase. "The intrusions could have enabled the adversaries to establish strategic footholds and compromise downstream entities," security researchers Aleksandar Milenkoski and Luigi Martire said . "The threat actors abused Visual Studio Code and Microsoft Azure infrastructure for C2 [command-and-control] purposes, attempting to evade detection by making malicious activities appear legitimate." It's currently not known which China-linked hacking group is behind the attacks,...

Cybersecurity researchers have discovered two security flaws in Microsoft's Azure Health Bot Service that, if exploited, could permit a malicious actor to achieve lateral movement within customer environments and access sensitive patient data. The critical issues, now patched by Microsoft, could have allowed access to cross-tenant resources within the service, Tenable said in a new report shared with The Hacker News. The Azure AI Health Bot Service is a cloud platform that enables developers in healthcare organizations to build and deploy AI-powered virtual health assistants and create copilots to manage administrative workloads and engage with their patients. This includes bots created by insurance service providers to allow customers to look up the status of a claim and ask questions about benefits and services, as well as bots managed by healthcare entities to help patients find appropriate care or look up nearby doctors. Tenable's research specifically focuses on on...

While cloud adoption has been top of mind for many IT professionals for nearly a decade, it's only in recent months, with industry changes and announcements from key players, that many recognize the time to make the move is now. It may feel like a daunting task, but tools exist to help you move your virtual machines (VMs) to a public cloud provider – like Microsoft Azure – with relative ease. Transitioning from VMware vSphere to Microsoft Azure requires careful planning and execution to ensure a smooth migration process. In this guide, we'll walk through the steps involved in moving your virtualized infrastructure to the cloud giant, Microsoft Azure. Whether you're migrating your entire data center or specific workloads, these steps will help you navigate the transition effectively. 1. Assess Your Environment: Before diving into the migration process, assess your current VMware vSphere environment thoro...

The U.S. Cyber Safety Review Board ( CSRB ) has criticized Microsoft for a series of security lapses that led to the breach of nearly two dozen companies across Europe and the U.S. by a China-based nation-state group called Storm-0558 last year. The findings, released by the Department of Homeland Security (DHS) on Tuesday, found that the intrusion was preventable, and that it became successful due to a "cascade of Microsoft's avoidable errors." "It identified a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritized enterprise security investments and rigorous risk management, at odds with the company's centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations," the DHS  said  in a statement. The CSRB also lambasted the tech titan for failing to detect the compromise on its own, instead relying on a customer to reac...

An Iran-nexus threat actor known as  UNC1549  has been attributed with medium confidence to a new set of attacks targeting aerospace, aviation, and defense industries in the Middle East, including Israel and the U.A.E. Other targets of the cyber espionage activity likely include Turkey, India, and Albania, Google-owned Mandiant said in a new analysis. UNC1549 is said to overlap with  Smoke Sandstorm  (previously Bohrium) and  Crimson Sandstorm  (previously Curium), the latter of which is an Islamic Revolutionary Guard Corps (IRGC) affiliated group also known as Imperial Kitten, TA456, Tortoiseshell, and Yellow Liderc. "This suspected UNC1549 activity has been active since at least June 2022 and is still ongoing as of February 2024," the company  said . "While regional in nature and focused mostly in the Middle East, the targeting includes entities operating worldwide." The attacks entail the use of Microsoft Azure cloud infrastructure for command...

Cybersecurity researchers have developed what's the first fully undetectable cloud-based cryptocurrency miner leveraging the Microsoft  Azure Automation  service without racking up any charges. Cybersecurity company SafeBreach said it discovered three different methods to run the miner, including one that can be executed on a victim's environment without attracting any attention. "While this research is significant because of its potential impact on cryptocurrency mining, we also believe it has serious implications for other areas, as the techniques could be used to achieve any task that requires code execution on Azure," security researcher Ariel Gamrian  said  in a report shared with The Hacker News. The study mainly set out to identify an "ultimate crypto miner" that offers unlimited access to computational resources, while simultaneously requiring little-to-no maintenance, is cost-free, and undetectable. That's where Azure Automation comes in. ...

More details have emerged about a set of now-patched cross-site scripting (XSS) flaws in the  Microsoft Azure HDInsight  open-source analytics service that could be weaponized by a threat actor to carry out malicious activities. "The identified vulnerabilities consisted of six stored XSS and two reflected XSS vulnerabilities, each of which could be exploited to perform unauthorized actions, varying from data access to session hijacking and delivering malicious payloads," Orca security researcher Lidor Ben Shitrit  said  in a report shared with The Hacker News. The issues were addressed by Microsoft as part of its  Patch Tuesday updates  for August 2023. The disclosure comes three months after similar shortcomings were reported in the  Azure Bastion and Azure Container Registry  that could have been exploited for unauthorized data access and modifications. The list of flaws is as follows - CVE-2023-35393  (CVSS score: 4.5) - Azure Apac...

Cybersecurity researchers have discovered a case of privilege escalation associated with a Microsoft Entra ID (formerly Azure Active Directory) application by taking advantage of an abandoned reply URL. "An attacker could leverage this abandoned URL to redirect authorization codes to themselves, exchanging the ill-gotten authorization codes for access tokens," Secureworks Counter Threat Unit (CTU)  said  in a technical report published last week. "The threat actor could then call Power Platform API via a middle-tier service and obtain elevated privileges." Following responsible disclosure on April 5, 2023, the issue was addressed by Microsoft via an update released a day later. Secureworks has also made available an  open-source tool  that other organizations can use to scan for abandoned reply URLs. Reply URL , also called redirect URI, refers to the location where the authorization server sends the user once the app has been successfully authorized and grant...

A malicious actor has been linked to a cloud credential stealing campaign in June 2023 that's focused on Azure and Google Cloud Platform (GCP) services, marking the adversary's expansion in targeting beyond Amazon Web Services (AWS). The findings come from  SentinelOne  and  Permiso , which said the "campaigns share similarity with tools attributed to the notorious TeamTNT cryptojacking crew," although it emphasized that "attribution remains challenging with script-based tools." They also overlap with an ongoing TeamTNT campaign  disclosed  by Aqua called Silentbob that leverages misconfigured cloud services to drop malware as part of what's said to be a testing effort, while also linking  SCARLETEEL  attacks to the threat actor, citing infrastructure commonalities. "TeamTNT is scanning for credentials across multiple cloud environments, including AWS, Azure, and GCP," Aqua noted. The attacks, which single out public-facing Docker instanc...