Cloud environments often come with complex and evolving security risks. These 5 high-impact vulnerabilities are actively exploited in the wild and demand immediate attention from security architects, DevOps teams, and CISOs alike.
As cloud adoption accelerates across industries, mitigating these threats has become a strategic imperative essential not only for technical resilience, but for protecting business continuity and customer trust.
1. Public-cloud storage left open
Cloud object storage (e.g., Amazon S3, Azure Blob, Google Cloud Storage) is often used for static content, logs, backups, or even production data. These systems use Access Control Lists (ACLs) and bucket policies to manage permissions. Unfortunately, even a single misconfigured rule, such as public-read, can silently expose massive amounts of data to the public internet. Attackers regularly crawl cloud providers for open buckets. A single overlooked policy can lead to data theft, compliance violations, and brand damage.
May 2023, Toyota Connected Services
In May 2023, Toyota Connected Services disclosed that a misconfigured storage bucket had been publicly accessible for over a decade, leaking telemetry and geolocation data for 2.15 million vehicles. The exposure included sensitive operational data that could potentially be used to track vehicle movements.
Mitigation strategy:
To mitigate the risk of public cloud storage being left open, organizations should implement a default-deny policy that blocks public access across all storage services. This baseline control should be enforced at the organizational level using service control policies or cloud governance tools. At the infrastructure level, require that all storage buckets are created with approved security tags using infrastructure-as-code frameworks like Terraform, Bicep, or CloudFormation. Continuous monitoring should be in place to scan for any untagged or publicly accessible buckets, with immediate alerting and remediation workflows.
2. Over-privileged identities & MFA resets
Cloud IAM follows the principle of least privilege, but in practice, organizations often accumulate overly permissive roles, break-glass accounts, and manual overrides. Social engineering tactics, like phishing emails or vishing, often in the form of IT support, can be used to reset Multi-Factor Authentication (MFA) and escalate privileges to high-privileged roles.
September 2023, Scattered Spider Group
In September 2023, the Scattered Spider group breached MGM Resorts by tricking IT support into resetting MFA for an Okta super-admin. They pivoted into AWS and Azure using valid credentials, crippling check-in systems and casino operations for days.
Mitigation strategy:
For over-privileged identities and the risk of MFA resets being exploited, it’s crucial to enforce phishing-resistant authentication methods, such as FIDO2 or WebAuthn, for all privileged roles. Help-desk workflows should require peer review and logging for any MFA reset requests, ensuring traceability and accountability. Additionally, regular use of IAM graph analysis tools can help identify dormant accounts, overly broad permissions, and privilege escalation paths, making it easier to maintain least privilege at scale.
3. Token hijacking & JWT forgery
Modern apps use JSON Web Tokens (JWTs) for stateless authentication. If attackers gain access to the private signing key, they can mint arbitrary tokens that pass all validation checks.
Mid-2023, Threat Group Storm-0558 – Microsoft Azure
In mid-2023, threat group Storm-0558, linked to China, obtained a Microsoft consumer signing key from a crash dump. Using it, they forged Azure AD tokens and accessed email inboxes across 25 government tenants, all without ever logging in.
Mitigation strategy:
To prevent token hijacking and forgery, organizations must store all signing keys in Hardware Security Modules (HSMs) to prevent accidental leaks. Signing keys should be rotated automatically on a regular schedule. Continuous Access Evaluation (CAE) should be enabled wherever possible to allow immediate revocation of compromised tokens. It’s also important to monitor for suspicious authentication patterns, including impossible travel or token use across irregular geographies, which may indicate misuse.
4. Unsecured/shadow APIs
Every cloud-based workload exposes Application Programming Interfaces (APIs). If even one endpoint lacks authentication, input validation, or rate-limiting, it can become a high-bandwidth data exfiltration path. Shadow APIs often escape routine audits. Once discovered by attackers, they offer stealthy and scalable paths to sensitive data.
January 2023, T-Mobile
In January 2023, T-Mobile reported that an unauthenticated API allowed attackers to scrape personal profile data from over 37 million customers. The attackers used a simple, automated script over several weeks to extract the data with no alerts triggered.
Mitigation strategy:
For unsecured or shadow APIs, a full inventory of all API endpoints should be maintained using tools like service meshes (e.g., Istio, Linkerd) or API gateways (e.g., Apigee, Kong). Every exposed API should require mutual TLS authentication and signed JWTs to verify client identity and authorization. Rate limiting and throttling mechanisms should be implemented to constrain traffic from unknown or suspicious clients to a safe baseline, significantly reducing the impact of automated scraping or abuse.
5. Ransomware-as-a-service (RaaS) in cloud workloads
RaaS operations offer plug-and-play ransomware kits to affiliates, who gain cloud access, encrypt systems, and demand ransoms. In double extortion, stolen data is also leaked if payment is withheld. Common entry points include VPNs, Citrix portals, and credential-stuffed cloud consoles. RaaS turns every misconfigured cloud service into a potential ransomware launchpad. Healthcare, finance, and SaaS firms are prime targets.
February 2024, the ALPHV/BlackCat Group – Change Healthcare
In February 2024, the ALPHV/BlackCat group breached Change Healthcare via a Citrix gateway without MFA. They encrypted claims-processing systems, stole sensitive health data, and extorted a $22 million ransom, severely disrupting U.S. healthcare services.
Mitigation strategy:
To defend against Ransomware-as-a-Service (RaaS) in cloud workloads, enforce strong multi-factor authentication on all remote access services, including VPNs, Citrix portals, and administrative consoles. Critical workloads and data should be backed up regularly using immutable storage, with backups stored in a separate cloud account that cannot be accessed using production credentials. Finally, organizations should rehearse clean-room recovery processes, ensuring they can rebuild infrastructure from scratch without paying a ransom, preserving operational continuity in worst-case scenarios.
Take charge of your cloud security
The vulnerabilities discussed above are not just theoretical risks, they’re actively exploited in the wild by threat actors. Cloud security isn’t just about firewalls and patching anymore; it’s about visibility, identity governance, automation, and resilience.
Audit your cloud storage for public exposure.
Begin by scanning all storage objects, across all implemented cloud providers, for public access settings. Even a single misconfigured ACL or bucket policy can lead to massive data leakage. Use native tools like AWS Config, Azure Policy, or third-party scanners to detect public exposures in real time. Make sure storage resources are tagged appropriately and adhere to your organization’s data classification policies.
Harden IAM roles and eliminate legacy permissions.
Review all user, service, and application roles with an eye toward enforcing the principle of least privilege. Remove dormant accounts, revoke unused permissions, and replace generic “admin” roles with narrowly scoped custom roles. Implement access reviews and integrate IAM graph analysis to identify and remediate over-privileged paths that could be exploited in an attack.
Protect tokens and secrets like crown jewels.
Access tokens, API keys, and cryptographic secrets are high-value targets. Store them securely using managed services like AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault. Rotate secrets regularly and implement automated expiration policies. For signing keys, use Hardware Security Modules (HSMs) and audit their usage. Never allow secrets to live in source code or unsecured configuration files.
Map and secure your entire API surface.
Perform a full API inventory, including public, private, internal, and shadow APIs. Use API gateways and service meshes to enforce consistent security controls across all endpoints. Require authentication using mutual TLS or signed JWTs, and apply rate limiting to reduce the blast radius of any abuse. Consider adopting API discovery tools to catch unmanaged or undocumented endpoints.
Assume breach: build response and recovery into your architecture.
Design your cloud environment with the assumption that a breach will eventually occur. Create isolated backup environments and ensure backups are immutable and inaccessible from production accounts. Implement logging and alerting across identity, storage, and network layers. Regularly test your incident response playbooks and rehearse clean-room recovery to ensure business continuity during a real-world attack.
Cloud security is no longer just about prevention, it’s about preparation, visibility, and resilience. These vulnerabilities are not hypothetical, they’re being actively weaponized by threat actors targeting organizations of every size.
By embedding security into the design of your cloud architecture and proactively addressing these risks, you don’t just reduce exposure you build long-term trust, operational continuity, and competitive advantage.
This article was written in collaboration with the HackTricks team, whose deep cloud security knowledge shaped the core vulnerability breakdown.