The Cloud is a Spider Web: But with Broken Threads
Nitesh Surana, Nelson William Gamazo Sanchez
fwd:cloudsec Europe 2025 · Day 1 · Main Room
Nitesh Surana and Nelson William Gamazo Sanchez, cloud threat researchers at Trend Micro, presented a sweeping investigation into two classes of cloud security vulnerabilities: **overly permissive cloud credentials embedded in URL parameters** (specifically Azure SAS tokens) and **universal cloud DNS zone takeovers** — the dangling resource problem applied to cloud service domains. The research resulted in approximately **8,000 subdomain takeover reports** to Microsoft across 10+ Azure services, the discovery of supply chain attack chains involving a signed DLL with embedded storage account keys, and six concrete cases where universal DNS zone takeovers led to immediate or near-immediate remote code execution. The findings span CMS providers, Autodesk Revit plugins, Azure CLI installation via Winget, PowerShell Gallery, Microsoft ML libraries, and Jenkins controllers — demonstrating that this class of vulnerability is pervasive and uniquely dangerous in cloud environments.
AI review
A blockbuster research talk that combines two potent attack surfaces — overly permissive SAS tokens in production software and universal DNS zone takeovers — into a devastating portfolio of real-world supply chain attack chains. The signed DLL with embedded storage account keys leading to RCE via Autodesk Revit RFA file exploitation is a masterclass full chain. The 8,000 takeover reports to Microsoft, five cases of direct RCE including Azure CLI binary replacement via Winget, and the observation of CI/CD pipelines still hitting taken-over domains post-fix elevate this to essential viewing…