%20(3)-1.png?quality=high&width=1900&height=1250&name=CSS%20-%20Blog%20(Featured%20Images)%20(3)-1.png)
%20(1).png?width=2000&height=1125&name=CSS%20-%20Blog%20(Featured%20Images)%20(1).png)
Casmer Labs, Cloud Storage Security’s (CSS) internal threat laboratory, monitors the dynamic landscape of cybersecurity, cloud security, and particularly cloud data security. Our mission is to ensure that our customers and the public are informed about critical security developments, incidents, and updates.
Our Q1 threat report anticipated that significant financial losses would result from high-profile data breaches, particularly those caused by misconfigurations, throughout the remainder of the year. Since then, numerous significant security breaches, vulnerabilities, and incidents have been reported and verified by Casmer Labs.
Crypto Exchange Heist Results in Millions in Damages
On May 15, 2025, Coinbase, the largest cryptocurrency exchange in the world, reported that they experienced a major cybersecurity incident where internal Coinbase employees willingly exfiltrated customer data from Coinbase’s environment. This incident continues the streak of high-profile cybersecurity incidents involving insiders in the past 12 months. Most notably, the KnowBe4 incident, where a North Korean agent using a stolen United States ID was successfully able to land a job at the US-based security awareness training company.
The leaked Coinbase records have been reported to contain the following information:
- Full names
- Phone numbers
- Email addresses
- Physical addresses
- Partially redacted bank account numbers
- Partially redacted social security numbers
- Government identification scans/images
- Coinbase account balances
Similar to the HipShipper data breach earlier this year, the primary associated risk is that cyber actors could use this information to both supplement and extend targeted social engineering schemes, particularly phishing campaigns. Information such as account balances could be used to aid targeting towards customers with the highest possible reward, and bank account numbers as well as social security numbers could be used to attempt to further “legitimize” scam calls and/or phishing emails.
To prevent a similar incident from affecting your organization, Cloud Storage Security (CSS) recommends that your organization implements a robust activity monitoring solution that automatically identifies and prevents both internal and external threats. DataDefender by Cloud Storage Security utilizes a combination of traditional anomaly detection, machine learning, and heuristic analysis methods, is able to detect exfiltration attempts, even from privileged, internal users, alert on the threat, and remove the user’s permissions (if configured) before the breach has completed.
Read our full report on the Coinbase incident here and sign up for the DataDefender beta program today.
New Threats in the Cloud: The “Hazy Hawk” Threat Actor
Reported on May 20 by Ravie Lakshmanan, a threat actor dubbed “Hazy Hawk” has been observed hijacking high-profile domain names in order to deliver malware, execute social engineering schemes, and more. Hazy Hawk Exploits DNS Records to Hijack CDC, Corporate Domains for Malware Delivery
Since at least December of 2023, Hazy Hawk has been confirmed to successfully attack:
- US Centers for Disease Control and Prevention (CDC)
- Deloitte
- PwC (PricewaterhouseCoopers)
- Ernst & Young
- Various high-profile research universities and institutions
It should be noted that the process of hijacking web domains are nothing new and have been carried out en masse for years. Hazy Hawk in particular is notable, and more dangerous, because of its high degree of effectiveness in executing and obfuscating the subsequent hijacking of cloud resources in addition to the original DNS compromise.
The attacks start by locating dangling CNAME DNS records, which reference deprecated or non-existent domains. By locating and “claiming” these records, attackers can redirect traffic to whatever address they choose. In the case of Hazy Hawk, a carefully curated funnel of malicious content is designed to push users into other scams, social engineering schemes, malware delivery systems, and more.
The prevention of attacks like Hazy Hawk is relatively simple. CSS, along with other industry experts, recommends that all organizations remove the associated CNAME DNS record as soon as resources are deprecated. This ensures that attackers have no way to hijack the domain and execute a similar attack.
More Cloud Data Breaches (But Who’s Counting Anymore?)
Reported by Cyble, major cloud providers’ customers host more than 660,000 publicly accessible or otherwise exposed buckets containing over 200 billion publicly accessible files and records. The most recent organization to experience a high-profile data breach was US-based recruitment platform HireClick, where over 5.7 million files, primarily resumes, were left publicly accessible due to a misconfigured Amazon S3 bucket.
About Cloud Storage Security
Cloud Storage Security (CSS) offers customers the ability to deploy multi-cloud, multi-account, and multi-resource malware scanning to protect the entirety of their storage suite under one console. Customers choose CSS’ solution because it:
- Offers flexible scanning models – Scan existing data on a scheduled basis, as data is written to storage repositories, or even before it is written
- Offers multiple malware scanning engines – Using multiple enterprise-grade engines reduce false positives and false negative rates
- Is simple to deploy, configure, and live with – Initial deployment can be performed in under 15 minutes. In-console quarantine, the ability to set up scanning for all storage resources in a single click, and minimal maintenance can all be performed from the console
Cloud Storage Security (CSS) also provides customers with flat-rate pricing based on cloud spend or no. of employees, that allows customers to:
- Apply malware protection for their entire environment, including Amazon S3, Amazon EFS, Amazon EBS, Amazon FSx, Microsoft Azure Blob Storage, and Google Cloud Buckets
- Perform periodic rescanning to meet compliance requirements and detect dormant malware
If your organization is interested in learning more about securing its storage resources, get in contact with an SME at cloudstoragesecurity.com/contact or watch an in-depth demo at cloudstoragesecurity.com.
Organizations can also try out the solution for free for 30 days in AWS Marketplace.
Share:
