CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 11, 2026

Hackers Abuse AWS CloudTrail and Google Cloud Logging to Evade Detection and Exfiltrate Logs

Cybersecurity News Archived Jun 11, 2026 ✓ Full text saved

Cloud environments have quietly become one of the most targeted areas in modern cybersecurity. As organizations shift to the cloud, the services that track activity inside those environments have become a top priority for attackers. Logging services, which record every action taken within a cloud account, are now being weaponized against the very teams that […] The post Hackers Abuse AWS CloudTrail and Google Cloud Logging to Evade Detection and Exfiltrate Logs appeared first on Cyber Security N

Full text archived locally
✦ AI Summary · Claude Sonnet


    Discover more Software Cybersecurity news subscription Ethical hacking courses HomeCyber Security News Hackers Abuse AWS CloudTrail and Google Cloud Logging to Evade Detection and Exfiltrate Logs By Tushar Subhra Dutta June 11, 2026 Cloud environments have quietly become one of the most targeted areas in modern cybersecurity. As organizations shift to the cloud, the services that track activity inside those environments have become a top priority for attackers. Logging services, which record every action taken within a cloud account, are now being weaponized against the very teams that depend on them. When these records are tampered with or rerouted, security teams lose their clearest window into what is happening inside their own infrastructure. AWS CloudTrail and Google Cloud Logging are two of the most widely used services of this kind. Both are designed to give organizations a full picture of activity across their cloud environments, recording API calls, resource changes, and user actions in real time. But that same depth of visibility makes them a high-value target. An attacker who can interfere with these logs can move undetected, erase evidence of their activity, or quietly watch everything the victim does without being noticed. Researchers from Unit 42 identified and documented these attack methods in a report shared with Cyber Security News (CSN), breaking down how attackers target cloud logging in two distinct ways. The first is defense evasion, where attackers disable or corrupt logs to avoid detection. The second is continuous visibility, where attackers redirect logs to their own infrastructure to silently monitor a victim’s cloud environment over time. The scale of damage is significant. Tools like SIEM platforms, SOAR systems, and cloud security posture management products all depend on clean, uninterrupted log data to function. If those logs are missing, altered, or rerouted, those tools go blind. An attacker operating in that silence can take their time, escalate privileges, and access sensitive data while facing almost no resistance from security teams. Hackers Abuse AWS CloudTrail and Google Cloud Logging Defense evasion through cloud logging takes several forms. The most direct method is stopping the logging process entirely. In AWS, an attacker with the right permissions can call the stop-logging API on a specific trail, halting all log writes to the connected S3 bucket immediately. In Google Cloud, the equivalent is disabling a sink, which stops log entries from reaching their destination. Message confirming suspension of logs (Source – Unit42) Beyond stopping logs, attackers can delete the storage bucket entirely. In AWS, this requires s3:DeleteBucket and s3:DeleteObject permissions. In Google Cloud, a deleted log bucket enters a DELETE_REQUESTED state for seven days before permanent removal. A subtler approach involves swapping the encryption key protecting logs with an attacker-controlled KMS key, then revoking access to it, making logs impossible to write or read. Disabling access to the KMS key results in a Bucket access denied error (Source – Unit42) The fifth method is log poisoning, where an attacker edits a log file to remove evidence of their activity and re-uploads it, invalidating the audit trail. Attackers Reroute Logs for Real-Time Spy Access Once inside a victim environment, sophisticated attackers do not just destroy logs. They redirect them by creating a new routing resource or modifying an existing one, they send all activity logs to storage they control. In AWS, this is done using the create-trail or update-trail API with a custom bucket name. In Google Cloud, the logging.sinks.create or logging.sinks.update API achieves the same result. From that point, the attacker receives a live feed of everything happening in the victim’s account, from IAM changes to sensitive data access, all without the victim knowing. To reduce exposure, AWS users should restrict the update-trail API to highly privileged users and lock S3 bucket policies so only CloudTrail can write to them. AWS also maintains a 90-day immutable event history that cannot be altered. In Google Cloud, teams should restrict logging.sinks.update permissions tightly. The built-in _Required log bucket provides an immutable record that cannot be modified or deleted. Enabling CloudTrail log file integrity validation is also critical, as it uses cryptographic checks to detect whether log files were changed after delivery. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News New NFCShare Android Malware Delivered via Weaponized Versions of Egitimate Banking Apps Threat Actors Abuse ChatGPT, Claude, and DeepSeek Brands as Phishing Lures to Steal Credentials Hackers Deploy MLTBackdoor Malware via Multi-Stage ClickFix Infection Chain SPF, DKIM, DMARC Passed. Malicious Link Passes Every Authentication Check, But CyberCheck360 Caught It binding.gyp Supply Chain Attack Compromises Dozens of npm Packages Across Maintainer Accounts Latest News Cyber Security News Microsoft Exchange Server 0-Day Vulnerability Exploited in Attacks Using Weaponized Email Cyber Security News Ivanti Endpoint Manager Mobile Vulnerability Enables Remote Code Execution Attacks Cyber Security Anthropic’s Claude Fable 5 Jailbroken to Generate Stack Exploits Cyber Security News Hackers Abuse Fake Utility Downloads to Install ScreenConnect and Mine Cryptocurrency Cyber Security News Hackers Use Tax Phishing Emails to Deploy In-Memory Malware on Windows Systems
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 11, 2026
    Archived
    Jun 11, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗