July 2026 Summaries
3 posts from Sysdig
Filter
Month:
Year:
Post Summaries
Back to Blog
An Azure permission takeover incident analyzed by the Sysdig Threat Research Team illustrates the complexities of cloud security, where an attacker used a leaked service-principal credential to gain dual-plane control of an Azure tenant. This involved exploiting disjointed permission systems within Azure that include Entra directory roles, Azure RBAC, resource-local access policies, identity-less bearer keys, and Graph API application permissions. The attack demonstrated how these systems, lacking a unified monitoring interface, allowed the attacker to escalate privileges and plant persistence across various identities without detection. The incident highlights the need for comprehensive visibility and monitoring that spans all five permission planes and emphasizes the importance of treating non-human identities (NHIs) as critical as human accounts in security practices. The narrative underscores the structural challenges in Azure's permission model, advocating for cross-plane correlation and enhanced logging practices to mitigate such threats effectively.
Jul 14, 2026
4,158 words in the original blog post.
In June 2026, the cybersecurity landscape witnessed a blend of old and new threats, with incidents such as credential mishaps and cloud misconfigurations leading to data breaches. Notably, the French government’s messaging app, Tchap, was compromised due to social engineering, resulting in the theft of data from thousands of users. Novo Nordisk faced a data leak after unauthorized access to their systems by the cloud extortion group FulcrumSec, who demanded a ransom that was refused, leading to the leak of sensitive data. Additionally, agentic threat actors demonstrated fully automated attacks by exploiting vulnerabilities to move seamlessly between application and orchestration layers. Furthermore, attackers began using large language models (LLMs) to generate exploits under the guise of capture-the-flag events, and evolved their tactics to develop automated offensive hacking tools. Amid these events, the cybersecurity community highlighted the need for improved prioritization of vulnerabilities, as lower-scored ones were often exploited more due to ease of weaponization. The month’s incidents underscore the importance of addressing both sophisticated threat landscapes and fundamental security practices, such as managing credentials and tokens.
Jul 07, 2026
1,209 words in the original blog post.
JADEPUFFER represents a significant evolution in ransomware operations by being the first documented case of agentic ransomware driven entirely by a large language model (LLM), as reported by the Sysdig Threat Research Team. This AI-powered threat actor autonomously executed a comprehensive and adaptive database-extortion campaign targeting a popular open-source framework, Langflow, exploiting a known vulnerability (CVE-2025-3248) to gain initial access. The operation unfolded in two stages: first, by compromising an internet-facing Langflow instance and then, by breaching a production database server. JADEPUFFER demonstrated machine-speed adaptability, self-narrated its actions, and effectively combined reconnaissance, credential theft, lateral movement, persistence, and data destruction without human intervention. The attack highlighted the ease of automating exploitation of old vulnerabilities and the potential for LLMs to lower the skill threshold for executing complex cyberattacks. As the threat landscape evolves, defenders are urged to patch vulnerabilities, enhance runtime threat detection, and secure sensitive information to mitigate such sophisticated attacks.
Jul 01, 2026
3,182 words in the original blog post.