Cyber Brief: Cloud identity gaps, ransomware shifts and supplier risks

Today’s cyber activity highlights three areas organisations must stay ahead of: newly identified weaknesses in cloud identity pathways, shifts in ransomware behaviour towards data extortion, and renewed concerns about supplier assurance gaps across UK sectors. Together they show how attackers continue to exploit the spaces between technology, human behaviour and governance.

Cloud identity misconfigurations emerge as top enterprise risk

Multiple security researchers have raised concern over recurring identity misconfigurations observed across major cloud environments during recent investigations. These include overly permissive service roles, legacy access tokens that were never revoked, and automated workflows running with broader privileges than required.
While none of the issues constitute a single critical flaw, the pattern is what matters. Attackers increasingly chain small identity weaknesses together to escalate privileges and move laterally within cloud estates. In several recent cases, organisations believed they were secure because individual permissions appeared low risk. However, when combined across inherited policies, shadow automation and dormant accounts, attackers gained meaningful access to sensitive systems.
The challenge is amplified in hybrid environments where historic on premises identities are synced with cloud services, often carrying legacy permissions that no longer match modern security requirements. As businesses continue to expand cloud usage, the identity layer remains the most common pressure point and the easiest path for silent compromise.

Why it matters
Identity compromise is now more impactful than most technical vulnerabilities. Organisations should enforce least privilege, validate all long lived tokens, and continuously monitor role inheritance across cloud and hybrid environments.

Source
Cloud identity security assessments

Ransomware operations pivot towards data extortion without encryption

Over the last 48 hours, threat intelligence teams have observed a rise in ransomware groups abandoning encryption in favour of pure data theft and extortion. This approach allows attackers to move faster, avoid noisy encryption activity and pressure victims using the threat of publication rather than disruption.
Recent cases show attackers using lightweight intrusion paths, such as stolen credentials or unpatched external systems, to rapidly exfiltrate data before defenders detect unusual activity. They then issue short deadline demands accompanied by sample datasets to increase credibility. Because no encryption takes place, traditional ransomware indicators are absent, making early detection far more challenging.
This shift aligns with a broader trend where criminal groups prioritise profit over technical complexity. Data theft is quicker, cheaper to run and harder for organisations to respond to if monitoring is incomplete or backups do not address the reputational implications of leakage.

Why it matters
Prevention and detection must extend beyond encryption-focused controls. Organisations should strengthen outbound data monitoring, enforce least privilege and ensure rapid investigation of credential anomalies.

Source
Ransomware and extortion trend reporting

Supplier assurance gaps continue to pose systemic risk

A new cross sector review shared within the last day highlights persistent weaknesses in supplier assurance across UK organisations. Many businesses continue to rely on outdated security questionnaires, incomplete risk scoring and inconsistent follow up processes for high impact third parties.
The review found that even when organisations classify a supplier as critical, only a minority conduct meaningful verification of security controls or request evidence of configuration and identity maturity. In several incidents examined, attackers gained access not by breaching the primary organisation, but by compromising a supplier with broad integration permissions or remote tooling.
The findings emphasise that supplier ecosystems are now so interconnected that a single weak link can impact thousands of downstream organisations. Without continuous assurance and ongoing validation, supplier trust becomes assumed rather than earned.

Why it matters
Supplier risk is business risk. Organisations should prioritise assurance for high impact providers, mandate stronger evidence of controls and implement continuous monitoring for remote access and integration points.

Source
UK supplier risk and assurance reviews

Today’s Key Actions

1. Review cloud identity roles, inherited permissions and long lived tokens.
2. Strengthen detection of data exfiltration and outbound anomalies.
3. Validate supplier access rights and strengthen assurance requirements.
4. Enforce least privilege across hybrid environments.
5. Update incident response plans to account for non encryption extortion scenarios.

Secarma Insight

Attackers increasingly target the hidden layers of an organisation’s environment: identity sprawl, overly trusted suppliers and blind spots in monitoring. By tightening governance, validating access pathways and strengthening detection, organisations can significantly reduce their exposure and operate with greater confidence in a complex landscape