* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Workload Protection Platform](https://www2.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/)
* Unit 42 Cloud Research Co...

# Unit 42 Cloud Research Coming Up in Vegas: Must-see talks at Black Hat, DEF CON and Cloud Village

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fprisma-cloud-def-con-black-hat-usa-cloud-village-2%2F)  
[](https://twitter.com/share?text=Unit+42+Cloud+Research+Coming+Up+in+Vegas%3A+Must-see+talks+at+Black+Hat%2C+DEF+CON+and+Cloud+Village&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fprisma-cloud-def-con-black-hat-usa-cloud-village-2%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fprisma-cloud-def-con-black-hat-usa-cloud-village-2%2F&title=Unit+42+Cloud+Research+Coming+Up+in+Vegas%3A+Must-see+talks+at+Black+Hat%2C+DEF+CON+and+Cloud+Village&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/prisma-cloud-def-con-black-hat-usa-cloud-village-2/&ts=markdown)  
\[\](mailto:?subject=Unit 42 Cloud Research Coming Up in Vegas: Must-see talks at Black Hat, DEF CON and Cloud Village)  
Link copied  
By [Ariel Zelivansky](https://www.paloaltonetworks.com/blog/author/ariel-zelivansky/?ts=markdown "Posts by Ariel Zelivansky")  
Jul 26, 2022  
5 minutes  
[Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)  
[Event](https://www.paloaltonetworks.com/blog/category/event/?ts=markdown)  
[Cloud infrastructure](https://www.paloaltonetworks.com/blog/tag/cloud-infrastructure/?ts=markdown)  
[Container Security](https://www.paloaltonetworks.com/blog/tag/container-security/?ts=markdown)  
[CWPP](https://www.paloaltonetworks.com/blog/tag/cwpp/?ts=markdown)  
[Unit 42](https://www.paloaltonetworks.com/blog/tag/unit-42/?ts=markdown)

## Overview

As part of our continued commitment to improving public cloud security for everyone, Unit 42 Cloud Researchers study cloud technology in aim of identifying new risks and threats in the cloud. Over the past year, Unit 42 discovered multiple vulnerabilities in public cloud infrastructure, caught previously unknown threat actors, and identified unsecure misconfigurations. We collaborated with multiple cloud vendors to mitigate these risks and keep cloud users safe.

This August, our researchers are coming to Vegas to present and discuss our latest findings in security conferences.

Join us in the following sessions:

|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|
| [Kubernetes Privilege Escalation: Container Escape == Cluster Admin?](https://www.blackhat.com/us-22/briefings/schedule/#kubernetes-privilege-escalation-container-escape--cluster-admin-26344) | Yuval Avrahami and Shaul Ben Hai @ Black Hat USA 2022, Thursday, August 11, 11:20 AM PDT |
| [The Journey From an Isolated Container to Cluster Admin in Service Fabric](https://forum.defcon.org/node/242285)                                                                               | Aviv Sasson @ DEF CON 30, Sunday, August 14, 1:00 PM PDT                                 |
| [Cloud Threat Actors: No Longer Cryptojacking for Fun and Profit](https://skytalks.info/)                                                                                                       | Nathaniel Quist @ DEF CON 30 Skytalks, Friday, August 12, 3:00 PM PDT                    |
| [Who Contains the "Serverless" Containers?](https://cloud-village.org/#talks?collapseDanielPrizmant)                                                                                            | Daniel Prizmant @ DEF CON 30 Cloud Village, Saturday, August 13, 10:40 AM PDT            |
| [Deescalate the Overly-permissive IAM](https://cloud-village.org/#talks?collapseJayChen2)                                                                                                       | Jay Chen @ DEF CON 30 Cloud Village Sunday, August 14, 12:10 PM PDT                      |
| [A Ransomware Actor Looks at the Clouds: Attacking in a Cloud-Native Way](https://cloud-village.org/#talks?collapseJayChen)                                                                     | Jay Chen @ DEF CON 30 Cloud Village Friday (Lightning Talks), August 12, 12:10 PM PDT    |

### Read on to get more information about what to expect during each of these talks

## **Microsoft Collaboration to Mitigate FabricScape**

In January of this year, Cloud Researcher Aviv Sasson discovered an important vulnerability in Service Fabric, an infrastructure for application hosting on containers and virtual machines, commonly used in Azure services. The vulnerability would enable attackers in Linux containers to escalate their privileges and gain root privileges on the host node, and potentially compromise all of the nodes in the cluster. The past months, we had worked closely with the Microsoft Security Response Center (MSRC) and Microsoft teams to remediate this issue. In June, a joint disclosure was published, FabricScape (CVE-2022-30137), on the [Palo Alto Networks blog](https://www.paloaltonetworks.com/blog/2022/06/fabricscape/) and [Microsoft Security Response Center](https://msrc-blog.microsoft.com/2022/06/28/azure-service-fabric-privilege-escalation-from-containerized-workloads-on-linux/).

Aviv will present the full details of his findings, their impact, and mitigations in his DEF CON 30 session on August 14, 1:00 PM PDT.

## **Kubernetes: Trampoline Pods**

Earlier this year, Unit 42 Cloud Researchers Yuval Avrahami and Shaul Ben Hai published "[Kubernetes Privilege Escalation: Excessive Permissions in Popular Platforms](https://www.paloaltonetworks.com/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms)", a white paper that demystifies Kubernetes privilege escalation and examines exploitability of different attack techniques across popular Kubernetes platforms. Kubernetes usage has grown significantly in recent years. This growth in popularity had attracted threat actors to target Kubernetes. For example, Unit 42 tracked campaigns targeting Kubernetes environments. In their research, Yuval and Shaul explore whether a single container breakout allows an attacker to take over an entire Kubernetes cluster. The answer to this question differs between Kubernetes platforms and managed services, as well as specific configurations and add-ons. In pursuit of an answer, Yuval and Shaul explore old and new Kubernetes privilege escalation techniques. One outcome of their research is an open-source tool they released under the name [rbac-police](https://github.com/PaloAltoNetworks/rbac-police), which identifies risky RBAC permissions of serviceAccounts, pods and nodes in a Kubernetes cluster.

Yuval and Shaul will present their findings at Black Hat USA 2022 on August 11, 11:20 AM PDT.

## **IAM Security and Cloud Threat Actors**

In the latest [Cloud Threat Report, dubbed "IAM: The first line of defense"](https://www.paloaltonetworks.com/resources/research/unit-42-cloud-threat-report-volume-6), Unit 42 Cloud Researchers share the results of analyzing 680,000 identities in 18,000 cloud accounts from over 200 organizations. Our findings suggested that the majority of cloud identities used by organizations are overly permissive. For example, permissions that were granted to many identities remained unused for over 60 days, posing a security risk.

Cloud Researcher Jay Chen shall discuss these findings in Public Cloud IAM security in his session at DEF CON 30 Cloud Village. Jay will also present a lightning talk on ransomware actors in this village using cloud-native techniques.

In addition to researching the status of IAM security, in the Cloud Threat Report we published the first [Cloud Threat Actor Index](https://www.paloaltonetworks.com/prisma/unit42-cloud-threat-research-volume-six), listing threat actors that are specifically targeting cloud environments. We detailed the techniques and targets of the five top threat actors we identified attacking the cloud.

Nathaniel Quist will share more about the process of discovering these threat actors and their evolving cloud operations from cryptojacking to the direct targeting of IAM credentials in his DEF CON 30 SkyTalks session.

## **Serverless Security**

For the past few months, Daniel Prizmant has been researching security of Serverless technologies in-depth. That is: understanding how they are built, secured, and what are its possible attack surfaces. In his DEF CON 30 Cloud Village talk, Daniel plans to discuss new findings on how he managed to bypass the first line of defense in Azure Serverless, and what security measures might prevent malicious actors from escalating an attack.

## **See You Soon**

The defined mission of the Prisma Cloud research team is to make the cloud safe. This entails continuously attempting to find threat actors targeting the cloud, understanding the attack surfaces of cloud technologies and discovering new vulnerabilities in cloud infrastructure. We look forward to sharing our recent findings with the community and learning from the excellent sessions in the upcoming [Black Hat](https://www.blackhat.com/us-22/) and [DEF CON](https://defcon.org/) events.

*** ** * ** ***

## Related Blogs

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Customer Spotlight](https://www.paloaltonetworks.com/blog/category/customer-spotlight/?ts=markdown)

[#### DEF CON Cloud Village and Black Hat USA: See New Unit 42 Cloud Research](https://www2.paloaltonetworks.com/blog/cloud-security/prisma-cloud-def-con-black-hat-usa-cloud-village/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Native Security Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-security-platform/?ts=markdown), [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Prisma Cloud at Ignite '21: What to Know](https://www2.paloaltonetworks.com/blog/cloud-security/prisma-cloud-ignite-21/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Unit 42 Discovers First Known Malware Targeting Windows Containers](https://www2.paloaltonetworks.com/blog/2021/06/siloscape-malware-windows-containers/)

### [Cloud Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-detection-and-response/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [KSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/kspm/?ts=markdown)

[#### Kubernetes: A Practitioner's Guide to KSPM](https://www2.paloaltonetworks.com/blog/cloud-security/kubernetes-a-practitioners-guide-to-kspm/)

### [Cloud Native Application Protection Platform](https://www.paloaltonetworks.com/blog/category/cloud-native-application-protection-platforms/?ts=markdown), [Cloud Runtime Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-runtime-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)

[#### Agent Vs Agentless: Determining the Right Deployment Option for Cloud Workload Protection (CWP)](https://www2.paloaltonetworks.com/blog/cloud-security/agent-vs-agentless-cwp/)

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)

[#### Beyond Visibility: Proactive Cloud Workload Security in the Real World](https://www2.paloaltonetworks.com/blog/cloud-security/visibility-cloud-workload-security/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language