惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

P
Palo Alto Networks Blog
P
Proofpoint News Feed
GbyAI
GbyAI
Microsoft Azure Blog
Microsoft Azure Blog
B
Blog
Google DeepMind News
Google DeepMind News
N
Netflix TechBlog - Medium
Recorded Future
Recorded Future
M
MIT News - Artificial intelligence
罗磊的独立博客
J
Java Code Geeks
月光博客
月光博客
F
Full Disclosure
博客园 - 聂微东
人人都是产品经理
人人都是产品经理
U
Unit 42
WordPress大学
WordPress大学
A
About on SuperTechFans
C
Cyber Attacks, Cyber Crime and Cyber Security
SecWiki News
SecWiki News
Security Latest
Security Latest
C
Check Point Blog
C
CERT Recently Published Vulnerability Notes
小众软件
小众软件
I
InfoQ
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
B
Blog RSS Feed
V
Visual Studio Blog
博客园_首页
NISL@THU
NISL@THU
I
Intezer
Spread Privacy
Spread Privacy
AWS News Blog
AWS News Blog
The Register - Security
The Register - Security
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Latest news
Latest news
Project Zero
Project Zero
博客园 - 叶小钗
C
Cybersecurity and Infrastructure Security Agency CISA
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Privacy International News Feed
博客园 - 【当耐特】
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
T
Threat Research - Cisco Blogs
Simon Willison's Weblog
Simon Willison's Weblog
T
Tor Project blog
V
Vulnerabilities – Threatpost
博客园 - 司徒正美
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
雷峰网
雷峰网

WeLiveSecurity

Supply chain dependencies: Have you checked your blind spot? Recovery scammers hit you when you’re down: Here’s how to avoid a ‘second strike’ As breakout time accelerates, prevention-first cybersecurity takes center stage Digital assets after death: Managing risks to your loved one’s digital estate This month in security with Tony Anscombe – March 2026 edition RSAC 2026 wrap-up – Week in security with Tony Anscombe A cunning predator: How Silver Fox preys on Japanese firms this tax season Cloud workload security: Mind the gaps Move fast and save things: A quick guide to recovering a hacked account EDR killers explained: Beyond the drivers Face value: What it takes to fool facial recognition Cyber fallout from the Iran war: What to have on your radar Sednit reloaded: Back in the trenches What cybersecurity actually does for your business How SMBs use threat research and MDR to build a defensive edge Protecting education: How MDR can tip the balance in favor of schools This month in security with Tony Anscombe – February 2026 edition Mobile app permissions (still) matter more than you may think Faking it on the phone: How to tell if a voice call is AI or not PromptSpy ushers in the era of Android threats using GenAI Is Poshmark safe? How to buy and sell without getting scammed Is it OK to let your children post selfies online? Naming and shaming: How ransomware groups tighten the screws on victims Taxing times: Top IRS scams to look out for in 2026 OfferUp scammers are out in force: Here’s what you should know A slippery slope: Beware of Winter Olympics scams and other cyberthreats This month in security with Tony Anscombe – January 2026 edition DynoWiper update: Technical analysis and attribution Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan Drowning in spam or scam emails lately? Here’s why ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 Children and chatbots: What parents should know Common Apple Pay scams, and how to stay safe Old habits die hard: 2025’s most common passwords were as predictable as ever Why LinkedIn is a hunting ground for threat actors – and how to protect yourself Is it time for internet services to adopt identity verification? Your information is on the dark web. What happens next? Credential stuffing: What it is and how to protect yourself This month in security with Tony Anscombe – December 2025 edition A brush with online fraud: What are brushing scams and how do I stay safe? Revisiting CVE‑2025‑50165: A critical flaw in Windows Imaging Component LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan ESET Threat Report H2 2025 Black Hat Europe 2025: Was that device designed to be on the internet at all? Black Hat Europe 2025: Reputation is currency – even in the ransomware economy Locks, SOCs and a cat in a box: What Schrödinger can teach us about cybersecurity Seeking symmetry during ATT&CK® season: How to harness today’s diverse analyst and tester landscape to paint a security masterpiece The biggest catch: How whaling attacks target top executives Phishing, privileges and passwords: Why identity is critical to improving cybersecurity posture MuddyWater: Snakes by the riverbank Oversharing is not caring: What’s at stake if your employees post too much online This month in security with Tony Anscombe – November 2025 edition What parents should know to protect their children from doxxing Influencers in the crosshairs: How cybercriminals are targeting content creators MDR is the answer – now, what’s the question? The OSINT playbook: Find your weak spots before attackers do PlushDaemon compromises network devices for adversary-in-the-middle attacks What if your romantic AI chatbot can’t keep a secret? Can password managers get hacked? Here’s what to know Why shadow AI could be your biggest security blind spot In memoriam: David Harley The who, where, and how of APT attacks in Q2 2025–Q3 2025 ESET APT Activity Report Q2 2025–Q3 2025 Sharing is scaring: The WhatsApp screen-sharing scam you didn’t see coming How social engineering really works | Unlocked 403 cybersecurity podcast (S2E6) Ground zero: 5 things to do after discovering a cyberattack This month in security with Tony Anscombe – October 2025 edition Fraud prevention: How to help older family members avoid scams Cybersecurity Awareness Month 2025: When seeing isn't believing Recruitment red flags: Can you spot a spy posing as a job seeker? How MDR can give MSPs the edge in a competitive market Cybersecurity Awareness Month 2025: Cyber risk thrives in the shadows Gotta fly: Lazarus targets the UAV sector SnakeStealer: How it preys on personal data – and how to stay safe Cybersecurity Awareness Month 2025: Building resilience against ransomware Minecraft mods: When ‘hacking’ your game becomes a security risk IT service desks: The security blind spot that may put your business at risk Cybersecurity Awareness Month 2025: Why software patching matters more than ever AI-aided malvertising: How chatbots can help spread scams How Uber seems to know where you are – even with restricted location permissions Cybersecurity Awareness Month 2025: Passwords alone are not enough The case for cybersecurity: Why successful businesses are built on protection Beware of threats lurking in booby-trapped PDF files Manufacturing under fire: Strengthening cyber-defenses amid surging threats New spyware campaigns target privacy-conscious Android users in the UAE Cybersecurity Awareness Month 2025: Knowledge is power This month in security with Tony Anscombe – September 2025 edition Roblox executors: It’s all fun and games until someone gets hacked DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception Watch out for SVG files booby-trapped with malware Gamaredon X Turla collab Small business, big risk: How SMBs can fight back against ransomware HybridPetya: A Petya/NotPetya copycat comes with a twist Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass Are cybercriminals hacking your systems – or just logging in? Preventing business disruption and building cyber-resilience with MDR Under lock and key: Safeguarding business data with encryption GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes This month in security with Tony Anscombe – August 2025 edition Don’t let “back to school” become “back to bullying”
Virtual machines, virtually everywhere – but not all protected
Tomáš Foltýn · 2026-03-25 · via WeLiveSecurity

Business Security

Virtual machines, virtually everywhere – and with real security gaps

Cloud VMs offer unmatched speed, scale and flexibility – all of which could eventually count for little if they’re left to fend for themselves

25 Mar 2026  •  , 7 min. read

Virtual machines, virtually everywhere – and with real security gaps

Twenty years ago, almost to the day, Amazon Web Services (AWS) launched Simple Storage Service (S3). A few months later, the company’s Elastic Compute Cloud (EC2) service opened for public beta testing before rolling out officially in 2008. These events sparked the era of modern on-demand cloud storage and computing that changed how organizations of all sizes think about their IT infrastructure.

Fast-forward to the present and you would be hard-pressed to find many organizations that haven’t ‘lifted and shifted’ at least part of their workloads to the cloud, or aren’t planning to do so soon. Indeed, some now run entirely in the cloud, while many others have paired cloud workloads, often in multi-cloud setups, with on-prem resources that won’t be retired anytime soon.

Of all the things that these organizations have in common, one warrants a closer look: virtual machine (VM) sprawl, or uncontrolled growth of virtual machines that are often left to fend for themselves.

A sprawling problem

Public cloud service providers (CSPs) make provisioning new VMs frictionless by design; after all, this is partly what makes their offering so appealing in the first place. As many admins can attest, a new VM instance can be stood up within moments, but decommissioning it rarely gets the same urgency.

In many companies, especially those with multi-cloud setups involving AWS, Azure, GCP and/or other CSPs, this sprawl results in a growing stockpile of workloads that exist outside security operations. CSPs do provide baseline protections, but the ongoing work falls on the customer. The machines often don’t even receive operating system updates; worse, they’re generally unmonitored and subject to access policies that haven’t changed since the day someone created the instance. This increases the risk that a virtual machine will ‘go rogue’ while remaining under the radar – until it’s too late.

Cloud visibility as such is a persistent problem, as only about 23% of organizations report having a comprehensive view of their cloud footprint. Unchecked growth of assets, including fleets of VMs, is a big part of the problem. The staple attack paths – misconfigured storage buckets and exposed APIs – dominate breach disclosures, in part because they produce public-facing signals. Meanwhile, VM abuse happens more subtly and inside an environment; a managed identity querying cloud storage won’t set off the same alarms as an external IP address attempting to log in.

A recent report by the Cloud Security Alliance (CSA) ranked misconfiguration and inadequate change control as the main threat for cloud resources, followed by identity and access management (IAM) weaknesses. This tracks with the identity-driven nature of cloud workloads, where both the VM itself and what it can access deserves scrutiny. According to Microsoft’s 2024 State of Multicloud Security Report, workload identities assigned to VMs and other non-human resources vastly outnumber human identities, and the gap is only widening as organizations spin up more compute resources.

The reality is rather mundane – say, a machine learning engineer provisions a VM for data processing tasks. The VM is granted an identity but since scoping its permissions in keeping with the principle of least privilege would be too time-consuming, it receives broad read/write access to data storage and other resources. The projects wrap up, but the over-permissioned VMs are ‘left to their own devices.’

cloud-workload-protection

Left to rot

An abandoned VM can do more than ‘collect dust’, however. Since every VM is bound to some form of identity that determines what the workload can access across the environment, forgotten instances may be exploited by bad actors to gain an initial foothold. As VMs in the same virtual private cloud (VPC) or virtual network (VNet) can often talk to each other in the ‘east-west’ direction without much restriction, a VM can probe adjacent instances, reach internal databases or storage endpoints, and exploit whatever permissions it was granted. Far too often, network micro-segmentation turns out to be too daunting a task.

In hybrid environments involving hybrid identities, things can get even more complicated. For example, when on-prem Active Directory is synced with Entra ID, a compromised VM in Azure that’s joined to an Entra ID tenant may be able to reach file shares, databases, applications or other resources that are part of the organization’s core on-prem infrastructure.

Examples of actual attacks involving VMs aren’t hard to come by. In one campaign, attackers moved between AWS EC2 instances over internal Remote Desktop Protocol (RDP), staged hundreds of gigabytes of exfiltrated data across multiple VMs, and unleashed ransomware inside the cloud network. Monitoring did catch the activity, but automated response wasn’t properly set up to stop it and the ransomware deployment went ahead.

Other attackers are exploiting the very ease with which VMs can be spun up. Microsoft has documented a campaign in which compromised Azure accounts were misused to provision short-lived VMs as throwaway attack infrastructure. Since the traffic came from legitimate, Azure-associated IP addresses, the alerts were dismissed as false positives.

Fighting deploy and decay

Chances are that your IT and security teams are small and handle security alongside other IT responsibilities, which has a lot to do with what kind of tooling works at this scale. Security products that rely on deep platform-specific expertise, complex deployment procedures and a number of tools for managing various parts of the IT infrastructure may not fit the bill. They may even miss the part of the sprawl problem that matters most.

Muddying the waters further, what happens when an incident involves identity abuse? An attacker on a rogue VM may not be doing anything that looks suspicious from inside the VM alone when using its identity to access cloud or on-prem resources. Catching the anomaly requires connecting what’s happening on the VM itself to what the VM’s identity is doing across the wider environment. That kind of correlation hinges on integration with identity solutions like Entra ID and Active Directory.

There’s also the question of speed. When a compromised cloud workload can reach on-prem resources through a federated identity chain, the window between initial compromise and serious damage can be short. (Auto)isolating a VM before lateral movement begins needs to happen at any hour. It’s one of the scenarios where AI-driven correlation and runtime detection earn their keep – no one can watch every workload around the clock and respond quickly enough.

Successful incursions cost businesses dearly. According to a recent survey, one in three SMBs reported being hit with substantial fines following a cyberattack. It’s also a reminder that non-compliance may come with direct financial consequences. Regulatory frameworks such as NIST 800-53 and PCI DSS 4.0 are getting more specific about cloud workload security and companies are increasingly expected to ensure that the identities assigned to cloud workloads are scoped appropriately and monitored continuously. Demonstrating access controls on the servers hosting sensitive data isn’t enough when the risk resides at the identity layer.

Meanwhile, IBM’s Cost of a Data Breach 2025 report found that 30 percent of breaches affected data strewn across multiple environments, which shows the problems that organizations face when it comes to defending their assets in various environments. A meaningful share of the resulting cost traces to the length of time between infiltration and detection, also known as dwell time. Organizations that can’t see what’s happening inside their environments tend to discover breaches through ‘external’ signals, such as a customer complaint, by which point the attacker has had weeks or months of access.

Parting thoughts

VMs are one of the oldest and most frequently deployed modern cloud resources. VM sprawl accumulates quietly and often reveals itself after something has gone wrong. The unprotected workloads carry identities and communicate with one another and with on-prem resources in traffic patterns that not all security controls can observe and catch.

For starters, every organization needs to inventory its VM fleets across all cloud platforms, review the permissions attached to the identity of each VM, and audit their settings for unnecessary ‘east-west’ and ‘north-south’ openness. Good fences make for good neighbors, as the saying goes.

For organizations running workloads across cloud and on-prem environments, the question is whether their security tooling can keep an eye on VMs with the same rigor as applied to the endpoints on employee desks and other parts of their infrastructure. Only then can they see the full picture and secure their data across various environments.