Veriti Research reveals 40% of networks allow ‘any/any’ cloud access, exposing critical vulnerabilities. Learn how malware like XWorm…

Veriti Research reveals 40% of networks allow ‘any/any’ cloud access, exposing critical vulnerabilities. Learn how malware like XWorm and Sliver C2 exploit cloud misconfigurations.

Recent research conducted by Veriti shared with Hackread.com, sheds light on the alarming trend of cybercriminals exploiting cloud infrastructure for malicious purposes. The study reveals that cloud platforms are increasingly being used not only to host and deliver malware payloads but also to serve as command-and-control centres.  

A particularly concerning finding is that over 40% of networks permit unrestricted communication with at least one major cloud provider. This “any/any” configuration creates a significant security vulnerability, allowing attackers to easily exfiltrate data and deploy malware from seemingly trusted cloud sources. 

Veriti’s research highlighted specific instances of malware campaigns leveraging cloud storage. The most noteworthy instances include the XWorm malware’s utilization of Amazon Web Services (AWS) S3 storage to distribute its malicious executables. Similarly, a Remcos campaign employed malicious RTF files, exploiting known vulnerabilities, with payloads also hosted on AWS S3.

Beyond malware distribution, cloud platforms are being actively used as command-and-control (C2) servers. Various malware families, including Havoc, NetSupportManager, Unam Miner, Mythic, Pupy RAT, Caldera, HookBot and Brutal Ratel, were observed utilizing infrastructure from major cloud providers like AWS, Google Cloud, Microsoft Azure, and Alibaba Cloud for C2 operations.

Cloud services and the type of malware being spread through them (Screenshot credit: Veriti)

Researchers also documented malware strains commonly found in cloud-based attacks, such as Mirai and njRAT, further emphasizing the growing abuse of cloud environments. Another concerning development is the increasing use of Sliver C2, which is being weaponized by Advanced Persistent Threat (APT) groups for stealthy C2 operations and post-exploitation tactics, Veriti’s report revealed.

For your information, Sliver C2 is an open-source command-and-control framework, initially developed for penetration testing but is now being weaponized by threat actors. It is often used with Rust-based malware to establish backdoors and exploits zero-day vulnerabilities, including recent Ivanti Connect Secure and Policy Secure vulnerabilities.

Furthermore, the study revealed critical vulnerabilities affecting cloud-hosted services across AWS, Azure, and Alibaba Cloud. These vulnerabilities, identified by CVE numbers, highlight the need for organizations to adopt a proactive approach to cloud security. 

The increasing abuse of cloud services demands a shift towards a _security-first approach_ to protect against these evolving threats, researchers noted.

“Veriti Research’s findings emphasize the critical need for organizations to rethink cloud security strategies. The increasing abuse of cloud services for malware hosting, C2 operations, and exploitation calls for a proactive, security-first approach,” the report read.

This should include restricting “any/any” network rules, implementing cloud-native security solutions for threat monitoring, and enforcing stronger cloud security policies.

Hackers Exploit Cloud Misconfigurations to Spread Malware

Unit 42 uncovers JavaGhost’s evolving AWS attacks. Learn how this threat actor uses phishing, IAM abuse, and advanced…

Unit 42 uncovers JavaGhost’s evolving AWS attacks. Learn how this threat actor uses phishing, IAM abuse, and advanced evasion techniques, and find out how to detect and respond.

Researchers at Palo Alto Networks’ Unit 42 have been tracking a persistent threat actor, designated TGR-UNK-0011, which they have confidently attributed to the group known as JavaGhost. As per their investigation, shared with Hackread.com, this group has been active for over half a decade and has recently shifted its focus from website defacement to conducting financially motivated phishing campaigns, particularly targeting cloud environments.

Initially, JavaGhost’s activities, documented on website defacement registries, primarily revolved around altering the content of websites. However, Unit 42’s investigations conducted between 2022 and 2024 revealed that attackers were actively exploiting misconfigurations within organizations’ Amazon Web Services (AWS) environments to launch phishing attacks.

It is worth noting that these attacks did not result from vulnerabilities within AWS itself, but from the exposure of long-term access keys due to configuration errors within the targeted organizations. 

The group’s methodology involves leveraging compromised AWS credentials to gain initial access via the command-line interface (CLI). To evade detection, they avoid the commonly used “GetCallerIdentity” API call, and instead, use “GetServiceQuota,” “GetSendQuota,” and “GetAccount” to blend in with normal AWS activity, avoiding common detection triggers.

Researchers observed that their toolset can also be identified by the use of python urllib3 during the GetSigninToken events. Once inside, they generate temporary credentials and console access using “GetFederationToken” with an “allow all” policy, granting them maximum control.

To establish their phishing infrastructure, JavaGhost manipulates Amazon Simple Email Service (SES) and WorkMail. They create multiple SES email identities, modify DKIM settings, and adjust Virtual Delivery Manager (VDM) and Mail-from attributes. Additionally, they configure AWS WorkMail Organizations and create user accounts, generating various SES and AWS Directory Service (DS) events within CloudTrail logs.

_Create Amazon WorkMail_ Directory Automatically Create Events (Source: Unit 42)  

New WorkMail User Creation (Source: Unit 42)

JavaGhost creates new SMTP credentials for sending emails, which leads to the creation of new identity and access management (IAM) users and groups. They also establish IAM users for long-term persistence, often with administrator privileges, and in more recent attacks, create IAM roles with trust policies that allow access from attacker-controlled AWS accounts.  

SMTP Credentials Retrieval Example (Source: Unit 42)

A unique calling card of the group is the creation of EC2 security groups named “Java\_Ghost” with the description “We Are There But Not Visible.” They also attempt to leave AWS Organizations and enable all AWS regions, indicating a desire to remove security constraints. 

“Accessing the console via this methodology obfuscates their identity and allows them easier visibility into the resources within an AWS account. Since attackers rarely create temporary credentials to access the AWS console URL, these methods often bypass detection,” researchers noted in their report.

The evolution of JavaGhost’s tactics, from simple access key usage to sophisticated evasion techniques, highlights the group’s increasing sophistication. However, their actions are traceable through CloudTrail logs (a tactic historically employed by Scattered Spider) specifically by examining user agent strings indicating the use of the Python urllib3 library. Moreover, to stay protected from similar attacks targeting AWS environments, organizations should implement a multi-layered security approach. Avoid long-term keys, rotate them, review policies, and monitor for unusual API calls and IAM activity.

Roger Grimes, data-driven defence evangelist at KnowBe4 commented on the latest development stating, “This is another example of how not doing the basics better can hurt you. When clouds took over a decade ago, “experts’ worried about all the new cloud-specific attacks we would see and become accustomed to. But what has proven true over time is that the same things that plague us in on-premise environments for over 2-3 decades are still what plague us in cloud environments. In this case, overly permissive permissions and social engineering. Social engineering is responsible for 70% – 90% of successful attacks. Overly permissive permissions are also a top threat (but surpassed also by vulnerability exploits and stolen credentials),” said Roger.

He further suggested that “If you want to keep hackers and their malware creations out, concentrate on the long-time basics, not just as part of everything you are doing, but primarily what you are doing. If you’re not stopping social engineering, exploits against unpatched vulnerabilities, credential theft (79% of the time through social engineering), and misconfigurations, of which overly permissive permissions are one type, then you aren’t going to stop hackers. The only difference now is you need to learn how to do it in both on-premises and cloud environments. But the threats are the same.”

1.  ShinyHunters, Nemesis Exposed After AWS S3 Leak
2.  Hackers Use Fake PoCs on GitHub to Steal AWS Keys
3.  Tunneling Flaws Put VPNs, CDNs, Routers at Risk Globally
4.  FUNNULL Unmasked: AWS Abused for Global Cybercrime
5.  Codefinger Ransomware Exploits AWS to Encrypt S3 Buckets

Top/Featured Image via Pixabay/TheDigitalArtist

JavaGhost Uses Amazon IAM Permissions to Phish Organizations

Artificial Intelligence is a tool that is currently changing how businesses approach digital marketing and SEO. Explore how your business can transform with AI-powered SEO services here.

Over 70% of marketers and small business owners in the world today use AI for SEO. That’s a staggering amount. Right? Well, AI is changing how businesses approach digital marketing. It enables systems to evaluate massive data, determine patterns, and make decisions with little or no human intervention.

So, now businesses can easily automate and optimise key aspects of SEO, such as keyword research, content creation, and website analysis. This allows businesses to get high search rankings and organic traffic more efficiently than with traditional methods. Let’s learn more about this below.

**Table of Contents**

1.  The integration of artificial intelligence in SEO
    1.  Automation of keyword research
    2.  Optimisation of technical SEO
    3.  Content optimisation and creation
2.  Enhancing user experience through AI-driven strategies
3.  Predictive analytics: forecasting trends with AI
4.  Automating routine SEO tasks using machine learning
5.  Case studies: success stories of AI in SEO
    1.  Bankrate.com
    2.  Rocky Brands
    3.  STACK Media
    4.  RELATED TOPICS

****The integration of artificial intelligence in SEO****

As mentioned earlier, many businesses are adopting the use of AI for SEO. They do so in several ways, including the following:

****Automation of keyword research****

Before AI, keyword research used to involve the tiring work of analysing volume and competition metrics. That’s not the case anymore. Now tools such as Ahrefs and SEMrush use machine learning to predict keyword trends.

This is more efficient and faster than the traditional methods of keyword research. AI quickly analyses a vast amount of data to identify relevant keywords, long-tail phrases, and competitor strategies.

So, it ensures a more targeted content creation. For instance, businesses currently focusing on SEO in Spain, use AI to get more targeted Spanish keywords. Then, they incorporate the keywords in their content to ensure higher search rankings and organic traffic.

****Optimisation of technical SEO****

You can now use AI to automate your technical SEO tasks. This includes identifying technical issues, such as slow loading times and defective links. What’s more, you can use AI to get an insight into where you need to improve your website.

Therefore, AI can help your website shine. This means that it can help you identify and fix issues that can affect your search engine ranking and things like bounce rate.

****Content optimisation and creation****

Today, many businesses use artificial intelligence to develop SEO-driven strategies. Any leading digital marketing agency, such as Seeders, will confirm that AI significantly simplifies and accelerates the process of content optimization and creation. For example, AI-powered tools like Frase, Clearscope, and Surfer SEO help analyze top-ranking content. They provide recommendations on keywords, structure, and readability.

What does this indicate? It means that you don’t have to do the tiring research work daily. AI can do it for you. In addition to the research, AI can help you write great pieces of content. Remember, it all lies in how you prompt it to write.

****Enhancing user experience through AI-driven strategies****

Have you ever gotten the feeling that Google knows what you think before you finish typing? Well, that’s the power of AI. Today, SEO isn’t just about stuffing keywords into articles or hoping your content will land on the first page.

It’s about semantic search and user intent. What’s more, AI ensures that businesses can deliver more personalised, intuitive, and efficient interactions. It does this by doing the following:

*   Analysing user behaviour and past interactions to ensure personalised content and experiences. For example, Amazon and Netflix will give you product or content recommendations based on your unique history. So this ensures better user engagement.

*   Using chatbots to provide instant responses to user queries. This helps to reduce wait times and ensure better customer support.

*   Predicting customer preferences. This ensures that marketing efforts are more personalised.

****Predictive analytics: forecasting trends with AI****

AI doesn’t just focus on history. It can also help you predict the future. AI uses statistical models, data analytics, and machine learning to predict the future. The best part? Its predictions are often accurate and can help your business stay ahead in competitive markets.

Therefore, you can use AI to analyse industry trends, social media sentiments and economic indicators. Then, use the data received to predict market shifts. At the same time, you can use that data to adjust your digital marketing strategies to ensure they align with future demands.

The benefits of using AI in predictive analytics are that:

*   It offers real-time insights.
*   It analyses large datasets quickly
*   It helps businesses to optimise their marketing efforts.
*   It ensures minimal error. So businesses can make decisions quickly.

****Automating routine SEO tasks using machine learning****

As mentioned earlier, machine learning is one of the things that AI uses to make predictive analytics. Apart from that, machine learning can be used to automate routine SEO tasks. This includes doing things like:

*   Analysing search trends, competitor rankings, and user intent to generate high-performing keywords. So, businesses that use AI for keyword research can stay ahead of trends and search terms.

*   Automating content audits to ensure that content aligns well with search engine algorithms.

*   Providing real-time suggestions for content optimisation, including areas where you can improve readability.

*   Identifying gaps in existing content and suggesting topics to improve search rankings by filling these gaps.

*   Identifying technical SEO issues, like broken links and page speed problems. Then providing ways to solve them.

*   Optimising images by automatically generating alt texts.

****Case studies: success stories of AI in SEO****

Many sites have successfully used AI to improve their SEO performance. They include:

****Bankrate.com****

Bankrate.com has successfully used AI to drive thousands of visits each month to their website. This website uses AI to create responses to questions that have specific limitations, such as “What is Financial Liquidity?” and “What is the Contribution Margin?”

So, when done right, AI content can help you achieve success. And Bankrate.com has proven that. The site also uses a human touch to fact-check and rewrite where necessary.

****Rocky Brands****

Rocky Brands is another company that has managed to successfully use AI for SEO. It has implemented the use of BrightEdge tools for formulating effective SEO strategies.

After the implementation of these AI tools, Rocky Brand experienced an increase of YOY revenue by 74%, search revenue by 30% and new users by 13%.

****STACK Media****

STACK Media also collaborated with BrightEdge to enhance their web traffic. This collaboration involved identifying high search volume keywords, analysing SERP visibility, and conducting competitive research.

1.  Top SEO Agencies in the UK: Expert Insights
2.  Best SEO Experts to Follow on Twitter (X) in 2025
3.  How to Improve Your SEO through Enhanced Web Security
4.  SEO vs. PPC: Choosing the Right Strategy for Your Business
5.  16 Best SaaS SEO Experts That Will Help You Dominate Online

Featured Image via Pexels/Matheus Bertelli

AI-powered SEO services: revolutionizing digital marketing

Threat actors are targeting Amazon Web Services (AWS) environments to push out phishing campaigns to unsuspecting targets, according to findings from Palo Alto Networks Unit 42.
The cybersecurity company is tracking the activity cluster under the name TGR-UNK-0011 (short for a threat group with unknown motivation), which it said overlaps with a group known as JavaGhost. TGR-UNK-0011 is known to

Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail

The stolen information included listed contacts, call logs, text messages, photos, and the device’s location.

A malicious app claiming to be a financial management tool has been downloaded 100,000 times from the Google Play Store. The app— known as “Finance Simplified”—belongs to the SpyLoan family which specializes in predatory lending.

Sometimes malware creators manage to get their apps listed in the official app store. This is a great benefit for them since it lends a sense of legitimacy to the app, and they don’t have to convince users to sideload the app from an unofficial site.

So, it gives them a much larger audience, they can lean on the trust we invest in the official app stores and users don’t have to do anything they might perceive as suspicious.

While Google has enhanced security measures in place—including AI-powered threat detection and real-time scanning— that are designed to detect and block malicious apps more effectively, the cat-and-mouse game between cybercriminals and security measures continues, with each side trying to outsmart the other.

In this case, the loan app evaded detection on Google Play, by loading a WebView to redirect users to an external website from where they could download the app hosted on an Amazon EC2 server.

Predatory lending is any lending practice where the borrower is taken advantage of by the lender. Predatory lenders impose lending terms that are unfair or abusive.

The apps in the SpyLoan family offer attractive loan terms with virtually no background checks. But when the apps are installed, they steal information from the victim’s device that can be used to blackmail the victim. Especially when they miss any payments on the loan.

Among the stolen information are listed contacts, call logs, text messages, photos, and the device’s location.

Although the app has now been removed from Google Play, it may continue to run on affected devices, collecting sensitive information in the background.

The researchers found that the app only targets users in India with the recommended loan applications and the redirect to an external website.

The information stolen from users could well be used for malicious purposes or sold to other cybercriminals.

Losing data related to a financial account can have severe consequences. If you find an app from this family or another information stealer on your device, there are a few guidelines to follow to limit the damage:

*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Predatory app downloaded 100,000 times from Google Play Store steals data, uses it for blackmail 

Cybersecurity researchers have disclosed a new type of name confusion attack called whoAMI that allows anyone who publishes an Amazon Machine Image (AMI) with a specific name to gain code execution within the Amazon Web Services (AWS) account.
"If executed at scale, this attack could be used to gain access to thousands of accounts," Datadog Security Labs researcher Seth Art said in a report

New “whoAMI” Attack Exploits AWS AMI Name Confusion for Remote Code Execution

Pivoting from prior cyber espionage, the threat group deployed its backdoor tool set to ultimately push out RA World malware, demanding $2 million from its victim.

Source: KB Photodesign via Shutterstock

NEWS BRIEF

A recent RA World ransomware attack utilized a tool set that took researchers by surprise, given that it has been associated with China-based espionage actors in the past.

According to Symantec, the attack occurred in late 2024. The tool set includes a legitimate Toshiba executable named toshdpdb.exe that deploys on a victim's device. It then connects to a malicious dynamic link library (DLL) that deploys a payload containing a PlugX backdoor.

The threat actors in this case used the tool kit to ultimately deploy RA World ransomware inside an unnamed Asian software and services company, demanding a ransom of $2 million. No initial infection vector was found. However, the attacker claimed they compromised the victim's network by exploiting a Palo Alto PAN-OS vulnerability (CVE-2024-0012), according to Symantec.

"The attacker then said administrative credentials were obtained from the company's intranet before stealing Amazon S3 cloud credentials from its Veeam server, using them to steal data from its S3 buckets before encrypting computers," added the researchers, who hypothesized that based on tactics, techniques, and procedures, the attacker could be China-linked Emperor Dragonfly, aka Bronze Starlight, a group that has been known to deploy ransomware to obscure intellectual property theft in the past.

Symantec researchers noted that prior intrusions using the tool set were against the foreign ministry of a Southeastern European country, the government of another, two Southeast Asian government ministries, and a Southeast Asian telecoms operator. Each of these attacks occurred between last July and January, and all were espionage-related, with no ransomware component.

"While tools associated with China-based espionage groups are often shared resources, many aren't publicly available and aren't usually associated with cybercrime activity," said the researchers in a posting this week.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Chinese APT 'Emperor Dragonfly' Moonlights With Ransomware

The open technology, which tackles disinformation, has gained steam in the past year, surpassing 500 corporate members and continuing to evolve.

Source: Tero Vesalainen via Shutterstock

When armed gangs raided a Haitian prison and released 4,700 prisoners last March, images and videos showing the violence and gunfire saturated social media around the world. Determining which graphic media was authentic — and marking those instances in a way that future viewers could verify for themselves what was real and what was modified — was a significant challenge.

Showcasing a solution to exactly that problem, the British Broadcasting Corporation (BBC) launched its adoption of Content Credentials, a technology for attesting to the authenticity and provenance of digital content, by using the technology to verify a TikTok video of the attack. The BBC verified the location of the video and its likely veracity, but it determined that audio of gunfire had been added after the fact. The company then digitally signed the video so that future viewers would know the BBC had verified it.

Content Credentials — an open technology that aims to solve disinformation and media integrity issues — is being developed by the Coalition for Content Provenance and Authenticity (C2PA), a group of more than 500 media, software, and hardware companies working to create an ecosystem for verified media.

The BBC's adoption of Content Credentials is just one use case but an important one, says Andy Parsons, senior director of the Content Authenticity Initiative (CAI) at Adobe and a steering committee member of the C2PA.

"The BBC \[is\] declaring that — regardless of whether this is a photo or whether AI was used to do a photo illustration — you can be guaranteed that it came from BBC, and even that simple proof-of-date or proof-of-origin is something we don't have in media right now," Parsons says.

In 2019, technology and media companies created the CAI to find solutions to disinformation and ways for news organizations to authenticate photos and video. Two years later, six companies — Adobe, Arm, BBC, Intel, Microsoft, and Truepic — founded the C2PA to pursue an open standard for establishing the provenance of various types of media files. The two efforts eventually combined forces to advance Content Credentials, a digital-signature technology and infrastructure for verifying and authenticating media.

In the past year, Content Credentials and the C2PA gained significant steam, with the addition of Amazon, Google, Meta, and OpenAI to the steering committee and the adoption of the technology by several camera makers — including Canon, Leica, and Sony — and smartphone makers, such as Samsung.

Yet the ecosystem is still in its infancy, Christian Paquin, a principal research software engineer at Microsoft, told attendees at last month's ShmooCon 2025.

"You can imagine the situation in five to 10 years when this technology is baked in a lot of the trusted news and a hardware ecosystem that can produce these signatures and can be validated by the social media themselves or the browsers, so that we can really have trust signals to differentiate what's real and what's not," he said.

**Manifest Destiny**

Content Credentials have three main components: the media data, a manifest describing the data and any actions transforming the data, and a digital signature binding the two pieces of information together in a tamper-evident way. The manifest includes typical metadata, as well as some additional C2PA-accepted fields — attestations — that can describe additional attributes of the photo, its source, and the software actions used to process the data.

Based on public-key encryption and digital signatures, Content Credentials act as an audit log of every action performed on a piece of media. A photo could be captured with a smartphone, cropped and lightened with photo-editing software, and then compressed by a content delivery network. Each of those steps would be an attestation in the manifest of the signed content credential.

A video signed with a Content Credential shows that it originated with the BBC News Lab. Source: https://contentcredentials.org/verify

The result is providing an audit trail with each piece of authenticated content, which could help citizens and users better know what is fake and what is arguably real, Adobe's Parsons says.

"All the companies involved — and I would lump in civil society and some governments as well — have a real urgency to solve this problem," he says. "And while C2PA is not a silver bullet at solving misinformation, it does put in place a fundamental foundational layer that the Internet probably should always have had around trust, and this is a really nice clean way to do it."

Already, most makers of foundational artificial intelligence (AI) models — such as Open AI, Meta, and Microsoft — digitally sign all images created by their image-generation models with a Content Credential, indicating that it was AI generated or manipulated.

**An Evolving Standard**

The technology is not done, either. The C2PA specification has quickly evolved over the past three years, reaching version 2.1 in September. Among the new features are efforts to make the credentials more "durable" — in other words, adopting techniques, such as digital fingerprinting and watermarking, to indicate the provenance of images, even if they are manipulated after publication or captured from a screenshot.

The combination of signed metadata with fingerprinting and watermarking is powerful, Adobe's Purdy wrote in a 2024 analysis of the techniques.

"\[N\]one of these techniques is durable enough in isolation to be effective on its own," he said. "But combined into a single approach, the three form a unified solution that is robust and secure enough to ensure that reliable provenance information is available no matter where a piece of content goes."

Watermarks, fingerprinting, and Content Credentials can be a powerful combination. Source: "Durable Content Credentials," CAI blog

A number of technical problems remain to be solved. Journalists reporting on an authoritarian regime, for example, may want to remain anonymous and mask their location. Zero-knowledge proofs can help, allowing a name to be redacted and only the organization — BBC News, for example — to be shown or to generalize the location. ZK proofs allow an attribute to be signed, so a photo's GPS coordinates could instead be reduced to New York City or Kiev to provide a general location that hides the photographer's identity, and verified with a digital signature.

"This is an evolving set of certifications," Microsoft's Paquin told the audience at ShmooCon. "The main challenge is establishing who can sign certificates ... establishing PKI that is worldwide is a big problem."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Content Credentials Technology Verifies Image, Video Authenticity

Cybereason co-founders launch their second act with a security startup focused on offering a platform that uses agentic AI to offload repetitive tasks commonly performed by security analysts.

Source: Laurent Davoust via Alamy Stock Photo

The co-founders of EDR provider Cybereason have regrouped with a new security startup, 7AI, to help organizations shift the burden of performing repetitive and routine security tasks currently performed by human analysts onto AI. 7AI's Agentic AI Platform frees security professionals from time-consuming tasks, such as triaging alerts, interpreting signals, correlating telemetry, and hunting for known threats, says Lior Div, one of the co-founders.

Div and Yonatan Striem-Amit left Cybereason two years ago after Softbank took a majority stake in the company; they founded 7AI in April 2024. The startup, which emerged from stealth on Thursday, says more than a dozen companies, mostly large and midsize enterprises, are already using its Agentic AI Platform. 7AI also received $36 million in seed funding from Greylock Partners, Spark Capital, and CRV.

Div describes agentic AI as "swarms of AI agents" capable of autonomously taking on routine security tasks. Unlike isolated generative AI agents, these swarms can enable autonomous operations by pooling and communicating their intelligence to investigate and prioritize threats while optimizing system resources. A swarm of agents working in tandem means that one agent could be configured to discover suspicious telemetry in an endpoint detection and response (EDR) system while another could be configured to validate the potential threat by correlating cloud logs. Yet another agent could be configured to observe user behavior patterns in identity and access management (IAM) systems. 

"Instead of spending their time on repetitive work to respond to alerts, our early customers are able to start their work with full context, drastically fewer false positives, and the results of full investigations," Div explained in a blog post announcing the company's new platform. The platform documents how each agent reached its conclusions and can be reviewed at any time by human analysts.

7AI's agentic AI capabilities, which is hosted in the Amazon Web Services cloud, is built with generative AI tools from Open AI and Anthropic.

"When it comes to reasoning, we're using Open AI," Div tells Dark Reading. "But when it comes to actually implementing and writing code, we're using Anthropic."

**A Replacement for SOAR?**

The platform is not designed to replace security administrators and analysts but rather allow them to take mundane tasks off their plates so they can allocate their time to more strategic functions.

"AI will take away 90% of the boring, toiling work," Div says.

Besides handling repetitive tasks, 7AI's platform is designed to correlate telemetry without moving data into another system. For example, in a typical threat hunting scenario, the data would have to be pushed into a security information and event management (SIEM). Instead, 7AI correlates the information at its source. The platform can also detect threat activity and anomalies in IAM systems such as Okta, Div says.

"We believe our AI will meet the data where the data was born," he says. "You don't have to send a lot of those pieces to the SIEM anymore."

This could also reduce organizations' reliance on managed security and service providers or managed detection and response providers, Div suggests.

"We don't think that you will need a SOAR once you have our system because it will decide on the fly what is the right playbook to run and what type of investigation to conduct without the need for human beings to specify it step by step," Div says.

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

7AI Streamlines Security Operations With Autonomous AI Agents

New research highlights how bad actors could abuse deleted AWS S3 buckets to create all sorts of mayhem, including a SolarWinds-style supply chain attack.

Source: kovop via Shutterstock

Abandoned cloud storage buckets present a major, but largely overlooked, threat to Internet security, new research has shown.

The risks arise when bad actors discover and re-register these neglected digital repositories under their original name, and then use them to deliver malware or carry out other malicious actions against anyone still requesting files from them.

**A Far From Theoretical Threat**

The threat is far from theoretical, and the weakness is, in fact, incredibly easy to exploit, researchers from watchTowr discovered recently. The findings came as a follow-up to previous research they conducted last year on risks tied to expired and abandoned Internet domain names.

For the latest study, the researchers first searched the Internet for Amazon AWS S3 buckets referenced in deployment code or a software update mechanism. They then checked to see if those mechanisms were pulling down unsigned or unverified executables or code from the S3 buckets. The researchers discovered some 150 S3 buckets that at some time a government organization, Fortune 500 company, technology company, cybersecurity vendor or major open source project had used for software deployment, updates, configurations and similar purposes, and then abandoned.

To check what would happen, watchTowr registered the unused buckets using their original names for a total of around $400, and enabled logging on them to see who might request files from each S3 bucket. The company also wanted to find out what these users would request from the storage resources. To their surprise, in a two-month period, the S3 buckets received a staggering 8 million file requests, many of which the researchers could have very easily responded to with malware or some other malicious action.

Related:Name That Toon: Incentives

Among those requesting files from the abandoned S3 buckets were government agencies in the US, the UK, Australia, and other countries, Fortune 100 companies, a major payment card network, an industrial product company, global and regional banks, and cybersecurity companies.  

"We were not 'sniping' S3 buckets as they were deleted, nor employing any 'advanced' technique to register these S3 buckets," watchTowr researchers said in their report. "We just ... typed the name into the input box, and used the power of one finger to click register."

WatchTowr's analysis showed the S3 buckets receiving requests for a wide range of files, including software updates; unsigned Windows, Linux ad macOS binaries; virtual machine images; JavaScript files; SSL VPN configurations; and CloudFormation templates for defining and provisioning AWS cloud infrastructure services as code.

Related:Name That Toon: Meeting of Minds

Had the researchers wanted to, they could have trivially responded to any of these requests with things like a malicious software update, or a template that would have allowed them access to the requesting organization's AWS environment, or a backdoored virtual machine.

**A 'Terrifyingly Simple' Cloud Cyberattack Vector?**

"The main takeaway," says Benjamin Harris, CEO of watchTowr, "is the terrifyingly simple way by which hackers can create a major, SolarWinds-scale supply chain attack by abusing the relatively unknown vulnerability class of abandoned infrastructure."

While the study focused on AWS buckets, the same risks exist with any abandoned cloud storage resource that someone is able to find and re-register using the original name, according to watchTowr.   

"This is certainly not an AWS issue," Harris tells Dark Reading. "However, what is vital is that AWS customers understand that once a cloud resource is created, leveraged, and referenced in code — for example, in a software update process, or in a deployment manual or otherwise — that reference will exist forever," he says. The implications of that reference will survive in perpetuity as the watchTowr study showed, he cautions.

Related:New Essay Competition Explores AI's Role in Cybersecurity

According to Harris, watchTowr has tried to get AWS to stop allowing registration of S3 buckets under previously used names.

"We have repeatedly, like a broken record, shared our belief with the AWS teams that engaged with us that the most logical solution to the challenge here is to prevent the registration of S3 buckets using names that had been used previously," he says. This approach would entirely kill this vulnerability class — abandoned infrastructure — in the context of AWS S3 buckets.

"As always, there is likely an argument about the usability tradeoff, the ability to transfer S3 buckets between accounts, etc.," he adds. "But we do wonder if these requirements outweigh the impact we have demonstrated through our research."

**AWS Responds to Abandoned S3 Bucket Threat**

AWS itself quickly sinkholed the S3 buckets that watchTowr identified, so the attack scenarios the security vendor highlighted in its report won't work against the same resources, though the broader issue remains.

"The issues described in this blog occurred when customers deleted S3 buckets that were still being referenced by third-party applications," an AWS spokesperson tells Dark Reading. "After conducting their research without notifying AWS, watchTowr provided the bucket names to AWS, and to protect our customers, we blocked these specific buckets from being re-created."

A statement the person provided mentioned guidance that AWS has provided customers on best cloud bucket practices, and on using unique identifiers when creating bucket names to prevent unintended reuse. The company has also provided guidance on ensuring applications are properly configured to reference only customer-owned buckets, the statement said: "In 2020 we launched the bucket ownership condition feature and encouraged customers to use this mechanism, specifically designed to prevent unintended reuse of bucket names."

The statement went on to request that researchers engage with the company's security team before conducting research involving the company's services.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#amazon