SECTION A: COMMON CLOUD MISCONFIGURATIONS

As part of our initial investigation into the security incident at Digital Witch Cyber Solutions Ltd, we identified a number of misconfiguration patterns that are commonly exploited in cloud environments. These misconfigurations increase the attack surface ( according to Engr. Emma “this is the total area of a cloud infrastructure that is vulnerable to unauthorized access or hacking”) and can be leveraged by threat actors such as APT32 or APT41.

As instructed we have listed below some critical cloud misconfigurations relevant to this incident:

  1. OVERLY PERMISSIVE IAM ROLES AND POLICIES

Issue: IAM roles and users are granted excessive permissions, violating the principle of least privilege.

Risk: Attackers who gain access to these identities can escalate privileges, modify resources or exfiltrate data.

Example: Administrator-Access policy attached to all developers

  1. DEFAULT CREDENTIALS OR UNROTATED ACCESS KEYS

Issue: Default usernames/ passwords used or long-lived access keys not rotated or changed regularly.

Risk: These can be easily guessed or leaked, giving unauthorized access.

Example: Hardcoded AWS access keys in source code repositories like GitHub.

3**. MISCONFIGURED VPC/ SUBNET ARCHITECTURE**

Issue: Critical resources are placed in public subnets with direct internet access.

Risk: Attackers can exploit these resources more easily due to a lack of network segmentation.

Example: A database instance exposed directly to the internet instead of through a private subnet and bastion host.

  1. DISABLED OR WEAK MFA (Multi-Factor Authentication)