{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/vm-sprawl/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cloud","vm-sprawl","identity-abuse"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe increasing adoption of cloud services has led to a phenomenon known as \u0026ldquo;VM sprawl,\u0026rdquo; where organizations experience uncontrolled growth in the number of virtual machines (VMs) provisioned across multiple cloud providers such as AWS, Azure, and GCP. This often results in VMs being left unmonitored, unpatched, and with overly broad access permissions. While cloud service providers (CSPs) offer baseline security, maintaining the ongoing security posture of these VMs falls to the customer. This creates significant security gaps, as attackers can exploit these neglected VMs to gain an initial foothold, move laterally within the cloud environment, exfiltrate data, or even deploy ransomware. Microsoft\u0026rsquo;s 2024 State of Multicloud Security Report highlights the increasing number of workload identities assigned to VMs, further exacerbating the risk. The lack of comprehensive cloud visibility, with only 23% of organizations reporting a complete view of their cloud footprint, makes it challenging to detect and respond to these threats effectively.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA machine learning engineer provisions a new VM in the cloud for data processing tasks.\u003c/li\u003e\n\u003cli\u003eThe VM is assigned a workload identity with overly broad read/write access to data storage and other resources, neglecting the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eThe project concludes, but the VM remains active and unmonitored, with its initial, excessive permissions intact.\u003c/li\u003e\n\u003cli\u003eAn attacker compromises the neglected VM, exploiting its lack of patching and weak security configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the VM\u0026rsquo;s existing identity to probe adjacent instances within the same virtual network (VNet) or virtual private cloud (VPC) using east-west traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to internal databases or storage endpoints, exploiting the VM\u0026rsquo;s over-permissioned identity.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other VMs via internal Remote Desktop Protocol (RDP), staging data for exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys ransomware across the cloud network, impacting critical workloads and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised and neglected VMs in cloud environments can lead to significant financial and reputational damage. Attackers can exfiltrate sensitive data, deploy ransomware, disrupt critical business operations, and incur substantial fines due to non-compliance with regulatory frameworks like NIST 800-53 and PCI DSS 4.0. IBM\u0026rsquo;s Cost of a Data Breach 2025 report found that 30% of breaches affected data across multiple environments, demonstrating the wide-ranging impact of inadequate cloud security. The dwell time, or the time between initial infiltration and detection, is significantly longer for organizations lacking visibility into their cloud environments, leading to increased costs and damage. According to a recent survey, one in three SMBs reported being hit with substantial fines following a cyberattack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement a comprehensive VM inventory across all cloud platforms to identify and track all active virtual machines. Reference: \u0026ldquo;every organization needs to inventory its VM fleets across all cloud platforms\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eConduct regular reviews of permissions attached to VM identities, ensuring adherence to the principle of least privilege to minimize the blast radius of potential compromises. Reference: \u0026ldquo;review the permissions attached to the identity of each VM\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eImplement network micro-segmentation to restrict east-west traffic between VMs, limiting lateral movement opportunities for attackers. Reference: \u0026ldquo;audit their settings for unnecessary ‘east-west’ and ‘north-south’ openness\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eEnable and tune process creation logging on cloud VMs to detect unusual or unauthorized processes. This can be achieved via native cloud tooling or third-party endpoint detection and response (EDR) solutions. Reference: \u0026ldquo;security tooling can keep an eye on VMs with the same rigor as applied to the endpoints on employee desks\u0026rdquo;.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T10:00:00Z","date_published":"2026-03-25T10:00:00Z","id":"/briefs/2024-05-vm-sprawl/","summary":"Uncontrolled growth of virtual machines (VM sprawl) in cloud environments allows attackers to exploit unmonitored VMs with overly permissive access for lateral movement, data exfiltration, and ransomware deployment.","title":"Uncontrolled VM Growth Leading to Security Gaps in Cloud Environments","url":"https://feed.craftedsignal.io/briefs/2024-05-vm-sprawl/"}],"language":"en","title":"CraftedSignal Threat Feed — Vm-Sprawl","version":"https://jsonfeed.org/version/1.1"}