We blow millions on endpoint agents while attackers just weaponize our management consoles and "working as designed" features.
๐ฑ The Native Wiper
Why write malware when MDM does it for you? Attackers wiped 80,000 devices by hijacking a standard admin, creating a backdoor Global Admin, and mashing the remote wipe button in Microsoft Intune. No malware required.
- Tradeoff: Centralized cloud management is a literal doomsday button.
- Guidance: Nuke standing privileges. Enforce FIDO2, gate roles via PIM, and alert on mass `DeviceAction` in Intune logs.
๐ง Exfiltration by Design
The AWS Bedrock Code Interpreter sandbox permits unrestricted outbound DNS. Attackers can chunk data into DNS queries and walk it right out. AWS patched it, broke things, rolled it back, and updated the docs. Behold, a fully documented data leak feature.
- Tradeoff: Sandbox usability ruins data confidentiality.
- Guidance: Ditch Sandbox mode. Move AgentCore to VPC mode to kill outbound DNS, and hunt resolver logs for high-entropy subdomains.
๐๏ธ Just Ask For Admin
Running File Browser? If your default user template has the admin flag checked, the signup handler blindly honors it. Unauthenticated randos can register an account and instantly become global admins. This hands them full control over your storage and arbitrary command execution.
- Guidance: Disable public `signup`. Explicitly set `defaults.perm.admin` to false in the API.