Posted on Cloud Security Incidents & Breaches Security Operations Vulnerability Intelligence

CISA/FBI: CL0P turned MOVEit Transfer into a repeatable mass data-theft pathway via CVE-2023-34362

A joint CISA and FBI advisory details how the CL0P ransomware group (also tracked as TA505) exploited a previously unknown SQL injection flaw (CVE-2023-34362) in Progress Software’s MOVEit Transfer managed file transfer (MFT) product to implant a web shell (“LEMURLOOT”) and exfiltrate data from underlying databases. The advisory frames MOVEit as the latest example of a broader TA505 pattern: targeting internet-facing MFT platforms with zero-day exploits (Accellion FTA in 2020–2021, GoAnywhere MFT in early 2023, and MOVEit in May 2023) to conduct large-scale theft and extortion—often emphasizing data exfiltration over encryption. Read more

Posted on Cloud Security Identity & Governance Incidents & Breaches Security Operations

Microsoft’s Secure Future Initiative: a multi-year, hyperscaler-scale reset on how Microsoft builds and operates security

Microsoft’s Secure Future Initiative (SFI), launched in November 2023, is a multi-year, cross-company program intended to “increasingly secure” how Microsoft designs, builds, tests, and operates its products and services. Microsoft says the first year prioritized security across the company through internal training and substantial engineering investment to reduce risk. SFI is structured around security principles (innovate, implement, guide) and six engineering pillars mapped to Zero Trust principles and the NIST Cybersecurity Framework, signaling a governance-and-engineering approach rather than a point-product response. For global cloud, identity, and security teams, SFI matters because it describes Microsoft’s internal hardening focus areas—identity and secrets, tenant isolation, network segmentation, SDLC/build integrity, unified detection, and faster remediation—that can influence default configurations, platform controls, and operational expectations across Microsoft’s cloud and software ecosystem over time. Microsoft also publishes periodic SFI progress reports (including references to a November 2025 report and earlier updates), indicating the initiative is intended to be measured and iterated in “waves” as threats evolve. Read more

Posted on AI Security Cloud Security Identity & Governance Incidents & Breaches

CrowdStrike publishes RCA for July 2024 “Channel File 291” Windows sensor outage, reframing update resilience as a board-level risk

CrowdStrike released a root-cause analysis (RCA) and executive summary for the July 19, 2024 “Channel File 291” incident, in which a content configuration update delivered via channel files for its Windows sensor triggered a widespread outage. The company says the specific scenario is now incapable of recurring and outlines mitigations and process improvements intended to enhance resilience. CrowdStrike also reported that by July 29, 2024 at 8:00 p.m. EDT, approximately 99% of Windows sensors were back online, which it compares to a typical ~1% week-over-week variance in sensor connections. Read more

Posted on Cloud Security Identity & Governance Incidents & Breaches Security Operations

UNC5537’s Snowflake data-theft campaign made SaaS identity controls a first-order data platform risk

Mandiant (Google Cloud) reported a financially motivated cluster, UNC5537, systematically accessing Snowflake customer instances using stolen credentials—then stealing data and pursuing extortion and resale. Mandiant says it found no evidence the activity originated from a breach of Snowflake’s own enterprise environment; incidents it investigated traced back to compromised customer credentials, often sourced from historical infostealer infections dating to 2020. The campaign’s success, per Mandiant, was strongly associated with missing MFA, long-lived unrotated credentials, and lack of network allow lists—shifting the security conversation from “SaaS breach” to “identity hygiene as data-platform blast radius.” Read more