The Cloud is No Longer Just " Someone Else's Computer" – It's Your Biggest Liability

In 2025, the "Cloud First" strategy has officially matured into a "Cloud Complex" reality. Australian organisations are no longer just migrating to the cloud; they are struggling to contain it.

Our recent offensive security engagements across Sydney and Melbourne have revealed a critical shift in the threat landscape. It is no longer about finding a zero-day exploit in Amazon Web Services (AWS) or Microsoft Azure infrastructure itself. The cloud providers are secure. The way you are using them is not.

According to recent threat intelligence from CyberCX and Unit 42, 80% of cloud breaches in 2025 are driven by misconfigured identities, not software bugs.

This guide dives into the specific, high-risk vulnerabilities our Red Teams are exploiting right now in Australian cloud environments, moving beyond the basics to the "kill chains" that actually lead to data exfiltration.

The Red Team’s "Kill Chain": How We Compromise Clouds

When we are engaged to perform a cloud penetration test or Red Team simulation, we don't look for firewalls. We look for permissions.

Here is a breakdown of the top three attack vectors we are seeing in the field this quarter.

1. AWS: The "Authenticated" S3 Bucket Leak

Everyone knows about public S3 buckets. But in 2025, the real danger is the "Authenticated Users" misconfiguration.

The Vulnerability:

Many developers grant access to the AWS group AllAuthenticatedUsers thinking it means "users in my account." It doesn't. It means anyone with an AWS account anywhere in the world.

From the Red Team Notebook:
"During an engagement for a logistics provider, we scanned for S3 buckets using widely available tools. We found a bucket labelled 'sensitive-contracts' that wasn't public, but allowed GET requests from Any Authenticated AWS User.
Using our own personal AWS burner account, we simply authenticated ourselves and downloaded 4TB of driver licenses and invoices. The client’s scanner showed the bucket as 'Non-Public' (Green), but we emptied it in 20 minutes."

2. Azure: The Service Principal "God Mode"

Azure (and Entra ID) relies heavily on "Service Principals"—non-human accounts used by apps to talk to resources. These are often the keys to the kingdom.

The Vulnerability:

Developers often assign the Contributor or Owner role to a Service Principal for a DevOps pipeline to make deployment easier. If we find the credentials for that app (often hardcoded in a GitHub repo or a forgotten script), we become the Owner.

From the Red Team Notebook:
"We found a client_secret committed to a private repository for a legacy reporting tool. The tool was no longer in use, but the Service Principal was still active in Azure.
The account had Global Admin rights. We used this access to create a new 'backdoor' user for ourselves, disabled their conditional access policies, and pivoted from the cloud tenant back into their on-premise domain controller. This is the classic 'Cloud-to-Ground' lightning strike."

3. GCP: The Container Escape (NVIDIAScape & runC)

Google Cloud Platform (GCP) is the home of Kubernetes (GKE). While powerful, containers are not true Virtual Machines. They share a kernel.

The Vulnerability:

In 2025, we have seen a rise in "Container Escapes"—specifically exploiting vulnerabilities like NVIDIAScape (CVE-2025-23266) or runC flaws. If a container is running as privileged or has aggressive volume mounts, an attacker can "break out" of the pod and take over the host node.

From the Red Team Notebook:
"A tech unicorn client asked us to test their AI modelling cluster. We found a web-facing container that was vulnerable to a remote code execution (RCE) flaw.
Because the container was configured with privileged: true to access GPU drivers, we executed a 'breakout' script. This gave us root access to the underlying Node. From there, we accessed the metadata service (metadata.google.internal), stole the node's Identity token, and used it to access every other container in the cluster."

The "Cloud Security Top 5" (2025 Red Team Edition)

Forget the generic lists. Based on our penetration testing data, these are the actual risks that will get you hacked this year:

    
                Risk Rank
                Vulnerability
                Why it Matters (Real World Impact)
            
                #1
                Identity Sprawl (CIEM)
                Non-human accounts (bots, service principals, pipelines) now outnumber humans 10:1. They often possess excessive privileges and lack MFA protections.
            
                #2
                Secrets Management Failure
                Critical credentials (API keys, .pem files, client secrets) stored in plain text within source code, Wiki pages, or Slack channels, allowing instant access.
            
                #3
                Shadow Cloud IT
                Entire development environments spun up on personal or unmonitored accounts without security oversight, bypassing the WAF and corporate logging.
            
                #4
                Serverless Logic Flaws
                AWS Lambdas or Azure Functions that allow injection attacks because they blindly trust input data, assuming the "internal" environment is safe.
            
                #5
                Misconfigured "Trust"
                The assumption that resources inside the VPC are safe. "Zero Trust" is rarely implemented correctly, allowing attackers to pivot laterally once inside.

Threat Intelligence: What is Targeting Australia?

You aren't just fighting bored teenagers. You are fighting automated syndicates.

Ransomware in the Cloud: Groups like Akira and BlackCat are no longer just encrypting laptops. They are now using stolen cloud credentials to delete cloud backups (snapshots) before launching their encryption, forcing you to pay.
Crypto-Jacking 2.0: Attackers are infiltrating cloud environments not to steal data, but to spin up 10,000 high-CPU instances for mining. The bill lands on your desk at the end of the month—often in the hundreds of thousands of dollars.

Critical Note: Ensure your penetration testing service includes a specific "Cloud Configuration Review" (CSPM). A standard network pentest will not catch an Azure IAM misconfiguration.

Shift Left, Look Right

Securing the cloud requires a dual approach. You must "Shift Left" to catch bad code in the pipeline, but you must also "Look Right"—continuously monitoring the live environment for the inevitable drift.

Your cloud environment changes every day. Your security testing cannot be once a year.

Is your cloud environment actually secure, or just "quiet"?

Contact our Team to schedule a Cloud Configuration Review or Red Team assessment. We will show you exactly what an attacker can see—and what they can steal.