Hackers Abuse Cloud Logging Services to Evade Detection and Defender’s Visibility
Cybersecurity NewsArchived Jun 17, 2026✓ Full text saved
Threat actors are increasingly targeting cloud logging services to evade detection and maintain persistent visibility into compromised environments, according to recent research by Palo Alto Networks Unit 42. These services, designed as a critical security layer, are now being weaponized to create blind spots in cloud infrastructure. Cloud logging platforms such as AWS CloudTrail and […] The post Hackers Abuse Cloud Logging Services to Evade Detection and Defender’s Visibility appeared first on
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Hackers Abuse Cloud Logging Services to Evade Detection and Defender’s Visibility
By Abinaya
June 17, 2026
Threat actors are increasingly targeting cloud logging services to evade detection and maintain persistent visibility into compromised environments, according to recent research by Palo Alto Networks Unit 42.
These services, designed as a critical security layer, are now being weaponized to create blind spots in cloud infrastructure.
Cloud logging platforms such as AWS CloudTrail and Google Cloud Logging serve as the primary source of truth for tracking activity across cloud environments.
Security teams rely heavily on these logs to power SIEM, SOAR, and CSPM tools. However, attackers who gain sufficient permissions can manipulate these systems to disrupt visibility or even exfiltrate logs for their own monitoring.
Researchers categorize these attacks into two primary tactics: defense evasion and continuous visibility. In defense evasion scenarios, attackers focus on disabling or tampering with logging mechanisms to avoid detection.
One of the most straightforward techniques involves stopping log collection entirely. In AWS, adversaries with CloudTrail: StopLogging permissions can halt logging via API calls, instantly blinding monitoring systems.
Similarly, in Google Cloud, attackers can disable logging sinks using logging. sinks.Update permissions.
Another common technique is deleting log storage destinations. For example, attackers with s3:DeleteBucket permissions can remove CloudTrail log buckets, erasing forensic evidence.
Impair logging via attacker-controlled encryption key attack flow in AWS (source: Palo Alto Networks Unit 42 )
In Google Cloud, log buckets can also be deleted, but they enter a delayed-deletion state, providing a limited recovery window.
More advanced attackers may impair logging by manipulating encryption keys. By replacing legitimate AWS KMS keys with attacker-controlled keys and then revoking access, logs become unreadable or fail to be written entirely.
A similar attack is possible in Google Cloud using customer-managed encryption keys (CMEK), effectively locking defenders out of their own logs.
Hackers Abuse Cloud Logging Services
Log poisoning is another stealthy technique. Attackers with object-level access can download, modify, and re-upload log files stored in services like Amazon S3, compromising data integrity and misleading incident response teams.
Beyond evasion, attackers are also leveraging logging systems for continuous visibility. Instead of triggering alerts with active reconnaissance, adversaries can configure new log routing mechanisms to send copies of logs to attacker-controlled environments.
In AWS, this involves creating new CloudTrail trails pointing to external S3 buckets, while in Google Cloud, attackers abuse logging sinks to redirect logs.
Log redirection is particularly dangerous, as it silently streams real-time activity data, including IAM changes, VM deployments, and data access events, to threat actors.
The outcome of an inaccessible encrypted key (source: Palo Alto Networks Unit 42)
This enables long-term surveillance and strategic lateral movement without raising immediate alarms. The impact of these techniques ranges from loss of visibility to covert persistence and data exfiltration, Palo Alto Networks Unit 42 said.
For example, stopping logging results in total monitoring failure, while log redirection enables attackers to maintain ongoing insight into victim environments.
To mitigate these risks, organizations must enforce strict access controls on logging resources. Critical permissions such as update-trail, logging.sinks.update, and storage modifications should be restricted to highly privileged roles.
Enabling integrity validation features, such as AWS CloudTrail log file validation, can help detect tampering.
Cloud providers also offer built-in safeguards. AWS maintains a 90-day immutable event history for management actions, while Google Cloud provides system-created log buckets that cannot be altered or deleted. However, these protections may not cover all logging scenarios, particularly in custom configurations.
Organizations must treat log pipelines as critical assets and implement layered defenses to ensure visibility is not compromised during an attack.
CISO & Security Leaders: Your next breach may not have a face. Join ISC2’s LIVE webinar, “Ghost in the Machine” – Book Your Spot Here
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
SHADOWBYT3$ Allegedly Claim Breach of Nintendo, Stealing Sensitive Data
Cybercriminals Abuse Chinese-Language Guarantee Marketplaces to Trade Stolen Credentials
PromptSnatcher Ad Blocker Extensions Steal AI Chats From ChatGPT, Claude, and Gemini
Hackers Use Microsoft Graph Reconnaissance to Target Payroll and HR Employees
New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker’s Server
Latest News
ANY.RUN
URL Phishing Is Draining SOCs, How to Cut Triage Time and Catch Incidents Early
Cyber Security News
27-Year-Old OpenBSD Vulnerability Allows Attackers to Bypass PAP Authentication Entirely
Cyber Security News
Hackers Use ClickFix Prompt to Install MSI Package and Launch Hands-On-Keyboard Attack
Cyber Security News
Hackers Use Fake Software Update Prompts to Steal Passwords and Crypto Wallet Data From macOS Users
Press Release
Heimdal Survey: Executives Four Times More Confident About AI Risk Than the Teams Managing It