Week 9 - Feb 24 - Mar 2, 2026
The biggest week of the quarter. Security Hub Extended Plan GA with 14+ partners, LexisNexis AWS breach exposes 2 GB of data, three AWS-LC cryptographic library CVEs, and VPC Encryption Controls move to paid pricing.
Highlights
Security Hub Extended Plan GA - CrowdStrike, Okta, Splunk Integration
AWS launches the Security Hub Extended Plan, offering curated partner solutions from CrowdStrike, Okta, SailPoint, Splunk, Zscaler, Noma, Proofpoint, and others. Pay-as-you-go or flat-rate pricing, single billing, consolidated support. Security Hub is evolving from a finding aggregator into a full security operations platform.
LexisNexis AWS Breach - 2.04 GB Exfiltrated
Threat actor FulcrumSec exploited a React2Shell vulnerability in an unpatched React frontend to breach LexisNexis AWS infrastructure. Exfiltrated approximately 2.04 GB including 536 Redshift tables, 53 plaintext Secrets Manager secrets, 3.9M database records, and 21K customer accounts. Data was primarily legacy/deprecated pre-2020 information. Root cause: an overprivileged ECS task role with access to secrets and databases.
VPC Encryption Controls Move to Paid Pricing
VPC Encryption Controls transitioned from free preview to paid feature at $0.15/hour per non-empty VPC in us-east-1 (varies by region). Supports monitor mode (detect unencrypted traffic) and enforce mode (prevent it). Budget carefully before enabling org-wide.
CVEs & Vulnerabilities
CVE-2026-3336: AWS-LC PKCS7 Certificate Chain Validation Bypass
PKCS7_verify in AWS-LC (v1.41.0 - v1.69.0) fails to properly validate certificate chains, allowing specially crafted certificates to bypass verification. Fixed in AWS-LC v1.69.0 / aws-lc-sys v0.38.0.
CVE-2026-3337: AWS-LC AES-CCM Timing Side-Channel
AES-CCM implementation in AWS-LC (v1.21.0+, including FIPS versions) is vulnerable to a timing side-channel attack. Workaround available; avoid AES-CCM if possible, prefer AES-GCM.
CVE-2026-3338: AWS-LC PKCS7 Signature Validation Bypass
PKCS7_verify signature validation bypass in AWS-LC. Companion vulnerability to CVE-2026-3336. Fixed in AWS-LC v1.69.0.
Service Updates
Noma AI Security Integrates with Security Hub Extended
Noma's AI security platform (AI-SPM, Red Teaming, Runtime Protection) is now available through Security Hub Extended for Amazon Bedrock, SageMaker, and third-party AI workloads.
SailPoint Identity Security in Security Hub Extended
SailPoint's identity security platform integrated with Security Hub Extended for centralized identity governance alongside security operations.
AWS WAF AI Activity Dashboard - 650+ Bot Signatures
AWS WAF launches an AI Activity Dashboard that provides visibility into AI-generated traffic hitting your applications. The dashboard covers 650+ AI bot signatures and helps distinguish between beneficial AI crawlers (like search indexers) and malicious scraping bots. Available in the WAF console under the Bot Control tab.
Key Takeaway
This was the most eventful week of Q1. The LexisNexis breach is a textbook example of why least-privilege matters - a single overprivileged ECS task role gave attackers access to Redshift, Secrets Manager, and databases. The three AWS-LC CVEs should be patched immediately if you use the library directly. And Security Hub Extended signals AWS's ambition to be the single pane of glass for enterprise security.
Need Custom Security Briefings?
These weekly digests are a starting point. Contact us for tailored threat briefings, security assessments, and architectural guidance for your AWS environment.