Wiz on Cloud Security in 2025: Navigating the Future of Cyber Threats and Defense

Guest Author: Yotam Meitar, Director, Cloud Response, Wiz

The landscape of cybersecurity is rapidly evolving, particularly in cloud environments. Due to the easy recovery and immutable backup features supported by most cloud providers, we’re witnessing a significant shift from traditional ransomware attacks to more sophisticated, cloud-based ransom strategies. In this post, I’ll explore a recent attack that illustrates this trend, highlighting how threat actors are adapting to increasingly secure environments and the challenges organizations face in response.

I am currently the Director of Cloud Response at Wiz, and I’ve spent the last ten years managing and responding to some of the most sophisticated global cyber operations. From working in the trenches with technical teams to advising executives on leveraging cybersecurity as a competitive advantage, my focus has spanned incident response, purple teaming, and posture enhancements. Today, I specialize in developing cloud-specific incident response methodologies and preparing business leaders for evolving cyber threats.

Ransom Demand and Immediate Legal Challenges

Our case study began with a large tech company receiving a ransom note. Unlike traditional ransomware attacks that encrypt data, this attacker simply provided proof that they had exfiltrated sensitive customer information from the company’s AWS environment. More specifically, they shared hundreds of gigabytes of JSON files containing customer PII managed in a cloud MongoDB instance.

Figure 1: Ransom Note

Before performing the full forensic investigation of the attack, the company faced immediate pressure from legal requirements demanding reporting of the breach. These included the SEC’s four-day reporting deadline for material incidents (which this clearly

was) and various state laws mandating customer notifications. The challenge was clear: determine the full scope of the leaked PII quickly or risk over-reporting, potentially causing unnecessary damage to the company’s reputation and customer relationships.

Investigating Leaked Data

The investigation began as a race against time. The company needed to compare the hundreds of gigabytes of attacker-provided data with their own backups to determine the extent of the breach. While the data clearly originated from MongoDB backups stored in an S3 bucket, a lack of S3 access logging prevented the company from knowing exactly which files were taken. It was clear the attacker-provided data was far too large to be manually reviewed in time, and comparing this data to stored backups proved more complicated than expected.

Unfortunately, the data validation process was complicated by differences in data formats. The attacker provided JSON files, while the company’s backups were in BSON format, and generic conversion tools failed to create files that fully matched. Overcoming this issue required a byte-by-byte analysis of the differences between the company’s files and those provided by the attacker, as well as creating dedicated scripts to “correct” mismatches in company files. Eventually, this process allowed our team to match modified company files to the file hashes of leaked data provided by the attacker, guaranteeing fidelity and enabling accurate reporting of only the relevant compromised PII rather than following the initial assumption that all customer data was compromised.

This challenge highlighted the importance of comprehensive data mapping and logging in the cloud—without them, an attacker’s ability to create chaos and inflict damage can increase dramatically. Organizations must be prepared to quickly identify and analyze their data across various formats and storage locations to prevent and effectively respond to such attacks.

Attackers Targeting IAM and Secrets

As our response team shifted focus to the investigation, it became clear that the attackers had bypassed the company’s sophisticated identity provider. Legitimate company employees accessed the AWS environment through an identity provider that generated temporary access tokens and assigned unique session names to each employee. While attackers did not gain access to the identity provider, they had obtained a permanent access key used by the identity provider to create their own sessions, perfectly mimicking legitimate user activity.

In figuring out how attackers compromised this highly privileged AWS access key, we discovered unauthorized access to a corresponding Secrets Manager value originating from an EC2 instance in the environment. Some quick forensics on this instance revealed the Secrets Manager access, as well as the machine’s purpose – it was being used as a Kubernetes management pod. The attacker’s highly sophisticated impersonation techniques and exploitation of overly permissive roles in the environment made detection incredibly challenging and emphasized the critical importance of centralized logging and correlation across different cloud services. Organizations must improve their detection and response capabilities by connecting the dots between various log sources, such as control plane logs, specific application logs, and runtime events from virtual machines and containers in the cloud.

Leveraging Vulnerable Applications

Tracing the attack back to its origin revealed that the initial entry point was a misconfigured Kubernetes application. A small security group misconfiguration had inadvertently exposed a vulnerable application to the internet, allowing attackers to gain access to the management pod, and from there launch the rest of this highly damaging attack. This case demonstrates how seemingly minor misconfigurations can lead to major breaches in cloud environments. Moreover, the speed at which the attackers moved—from initial breach to data exfiltration in just a few days—highlights the need for rapid detection and response capabilities in cloud security.

Key Takeaways

This case study underscores several critical points for modern cloud security:

1. High-speed leak investigation capabilities are a requirement, not a nice-to-have. Automated attack techniques and the similarity between cloud environments mean attacks are increasingly automated and organizations must be prepared to quickly analyze and match data across various formats and sources.
2. Comprehensive data mapping and access logging are crucial. Even seemingly non-critical data, like encryption keys or configuration files, can become single points of failure in a security incident.
3. Centralizing logging and forensics across cloud services is essential for effective threat detection and response.
4. IAM security is paramount in the cloud, with a single compromised credential often leading to devastating consequences. Organizations should prioritize monitoring and managing highly privileged users for potential insider threats or external compromises of sensitive credentials. The growing complexity of cloud environments, coupled with the prevalence of remote work, has increased the risk of both accidental and malicious insider incidents.

Conclusion

As cloud environments become increasingly complex, threat actors are adapting their tactics accordingly. Traditional ransomware attacks are giving way to more sophisticated data exfiltration and extortion strategies. Organizations must stay informed and adaptable, leveraging advanced technologies like AI-driven behavioral analysis and zero trust architectures to defend against these evolving threats.

The future of cloud security will likely see increased adoption of automated incident response systems. However, the human element remains crucial. Organizations thatinvest in employee education, robust access controls, and continuous monitoring will be better positioned to handle both external threats and potential insider risks.

For a more in-depth look at this case study, please check out my full talk at CloudSec 2024: Responding to Sophisticated Ransom Attacks in the Cloud: A Real-World Case Study

Want to learn more about what Wiz can do for your organization? Schedule a personalized demo.