Cloud-Native Threats in 2020

Last Updated on January 30, 2023

Among the various things that I have done in 2020, there is the collection of the main cyber attacks that have exploited cloud services in the kill chain. I have built a personal (and obviously incomplete) list using publicly available information. The complete timeline is available at the end of the post, while some statistics are summarized in the following charts…

Cloud services are increasingly abused by threat actors, as they provide a reliable and resilient hosting infrastructure, are able to bypass traditional security controls, and, last but not least, are implicitly trusted by the users. This explains the growing adoption of droppers such as GuLoader or BazaarLoader (recently deployed to deliver the Ryuk ransomware in the recent devastating wave of attacks.

As I mentioned this gives only a partial idea of the cloud-native threat landscape, in any case it’s hopefully a useful indication of how frequent the exploitation of cloud services for malicious purposes is becoming.

Date	Description	Link	Service	Type
08/01/2020	Drake Lyrics Used as Calling Card in Malware Attack		Pastebin	Delivery and Exploitation
10/01/2020	Phishing on Sway		Sway	Delivery and Exploitation
16/01/2020	JhoneRATCloud based Python RAT		Google Drive, Google Forms,Twitter	Delivery and Exploitation/Command And Control
27/01/2020	Aggah delivering malware from pastebin		Pastebin, Blogspot	Delivery and Exploitation
30/01/2020	Iran-linked hackers pose as journalists in email scam		Google Sites	Delivery and Exploitation
30/01/2020	Check Point details two flaws in Azure that could have allowed takeover		Azure	Actions on Objective
31/01/2020	Winnti Group Infected Hong Kong Universities With Malware		GitHub, Google Docs, Pastebin	Command and Control
05/02/2020	Bitbucket Abused to Infect 500,000+ Hosts with Malware Cocktail		BitBucket	Delivery and Exploitation
05/02/2020	Espionage campaign targeting Malaysia government officials		Google Drive	Delivery and Exploitation
13/02/2020	Gaza group strikes targets in Palestinian territories		Dropbox, Egnyte	Delivery and Exploitation
17/02/2020	“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign		GitHub	Delivery and Exploitation
18/02/2020	Dharma Ransomware Attacks Italy in New Spam Campaign		OneDrive	Delivery and Exploitation
19/02/2020	Details of 10.6 million MGM hotel guests posted on a hacking forum		N/A	Actions on Objective
19/02/2020	Chinese hackers have breached online betting and gambling sites		Dropbox	Delivery and Exploitation/Command And Control
20/02/2020	Cybergang Favors G Suite and Physical Checks For BEC Attacks		Google Gmail	Delivery and Exploitation
21/02/2020	Phishers Are Using Google Forms to Bypass Popular Email Gateways		Google Forms	Delivery and Exploitation
25/02/2020	’Cloud Snooper’ Attack Bypasses Firewall Security Measures		AWS	Actions on Objective
03/03/2020	Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations		Google Drive	Delivery and Exploitation
03/03/2020	Microsoft OneNote Used To Sidestep Phishing Detection		OneNote	Delivery and Exploitation
06/03/2020	FBI Warns of BEC Attacks Abusing Microsoft Office 365, Google G Suite		Google Gmail, Outlook.com	Delivery and Exploitation
07/03/2020	Data-Stealing FormBook Malware Preys on Coronavirus Fears		Google Drive	Delivery and Exploitation
10/03/2020	Phishing Attack Skirts Detection With YouTube		YouTube	Delivery and Exploitation
14/03/2020	BlackWater Malware Abuses Cloudflare Workers for C2 Communication		Cloudflare	Command and Control
18/03/2020	Politically Themed Cyber Activity Highlights Regional Opposition to Middle East Peace Plan		Google Drive	Delivery and Exploitation
19/03/2020	The Curious Case of the Criminal Curriculum Vitae		Google Drive	Delivery and Exploitation
20/03/2020	Exchange rate service’s customer details hacked via AWS		AWS	Actions on Objective
24/03/2020	How Attackers Could Use Azure Apps to Sneak into Microsoft 365		Azure	Actions on Objective
25/03/2020	New Router DNS Hijacking Attacks Abuse Bitbucket to Host Infostealer		BitBucket	Delivery and Exploitation
20/03/2020	India’s Vijay Sales Leaks Private Information through Exposed Amazon Backup Server		AWS	Actions on Objective
20/03/2020	India’s Vijay Sales Leaks Private Information through Exposed Amazon Backup Server		AWS	Actions on Objective
31/03/2020	Holy water: ongoing targeted water-holing attack in Asia		GitHub, Google Drive	Delivery and Exploitation/Command And Control
31/03/2020	New Raccoon Stealer uses Google Cloud Services to evade detection		Google Drive	Command and Control
01/04/2020	Wave of SBA attacks using COVID-19 as a lure to distribute malware		Google Drive	Delivery and Exploitation
13/04/2020	Overlay Malware Leverages Chrome Browser, Targets Banks and Heads to Spain		GitHub, Google Sites	Delivery and Exploitation
20/04/2020	Threat Actors Masquerade as HR Departments to Steal Credentials		Sway, OneDrive	Delivery and Exploitation
22/04/2020	Customer complaint phishing pushes network hacking malware		Google Drive	Delivery and Exploitation
24/04/2020	BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware		Google Docs	Delivery and Exploitation
28/04/2020	Grandoreiro: How engorged can an EXE get?		GitHub, Dropbox, Pastebin, 4shared	Delivery and Exploitation
30/04/2020	Spear-phishing campaign compromises executives at 150+ companies		Sway, OneNote, Sharepoint	Delivery and Exploitation
05/05/2020	Game patch gives hackers access to development content on Amazon S3		AWS	Actions on Objective
06/05/2020	Two new criminal campaigns targeting the global financial industry with the EVILNUM malware		Google Drive, GitLab	Delivery and Exploitation/Command And Control
07/05/2020	Brazilian trojan banker targets Portuguese users using browser overlay		Google Drive, Google Sites	Delivery and Exploitation/Command And Control
11/05/2020	Astaroth malware hides command servers in YouTube channel descriptions		Youtube	Command and Control
18/05/2020	MFA Bypass Phish Caught: OAuth2 Grants Access to User Data Without a Password		Office 365 Application Suite	Actions on Objective
21/05/2020	Phishing in a Bucket: Utilizing Google Firebase Storage		Google Firebase	Delivery and Exploitation
26/05/2020	Malware from Turla using Gmail as the command and control		Google Gmail	Command and Control
01/06/2020	Enterprise-grade’ BazarBackdoor malware delivered via spear phishing emails		Google Docs	Delivery and Exploitation
08/06/2020	US energy providers hit with new malware in targeted attacks		Dropbox	Delivery and Exploitation
09/06/2020	More S3 Buckets Compromised with Magecart and Malicious Redirector		AWS	Actions on Objective
10/06/2020	Office 365 phishing baits business owners with relief payments		Dropbox	Delivery and Exploitation
11/06/2020	Machine-learning clusters in Azure hijacked to mine cryptocurrency		Azure	Actions on Objective
18/06/2020	Wells Fargo phishing baits customers with calendar invites		Google Calendar	Delivery and Exploitation
22/06/2020	IndigoDrop spreads via military-themed lures to deliver Cobalt Strike		Pastebin	Delivery and Exploitation
06/07/2020	New release of Lampion trojan spreads in Portugal		Google Cloud Storage	Delivery and Exploitation
07/07/2020	Microsoft Office 365 users targeted in SurveyMonkey phishing		SurveyMonkey, Sharepoint	Delivery and Exploitation
08/07/2020	Microsoft warns of Office 365 phishing via malicious OAuth apps		Office 365 Application Suite	Actions on Objective
14/07/2020	Brazil’s Banking Trojans Go Global		YouTube, Facebook, Google Docs, Google Sites	Delivery and Exploitation/Command And Control
14/07/2020	New RATicate campaign using GuLoader		Google Drive, Dropbox, OneDrive	Delivery and Exploitation
16/07/2020	Invoice Themed Phishing Emails Are Spreading from Trusted Links		Dropbox	Delivery and Exploitation
18/07/2020	New phishing campaign abuses a trio of enterprise cloud services		Azure,Dynamics, IBM Cloud	Delivery and Exploitation
21/07/2020	Phishing campaign uses Google Cloud Services to steal Office 365 logins		Google Cloud Storage, Google Drive	Delivery and Exploitation
21/07/2020	Fake email from Italian University delivering LokiBot		Pastebin	Delivery and Exploitation
27/07/2020	Office 365 phishing baits employees with fake SharePoint alerts		Google Firebase	Delivery and Exploitation
28/07/2020	Sneaky Doki Linux malware infiltrates Docker cloud instances		AWS, Azure	Actions on Objective
10/08/2020	A hacker releases the databases of gun exchange, hunting, and kratom sites		AWS	Actions on Objective
10/08/2020	A hacker releases the databases of gun exchange, hunting, and kratom sites		AWS	Actions on Objective
12/08/2020	A Big Catch: Cloud Phishing from Google App Engine and Azure App Service		Google App Engine, Azure	Delivery and Exploitation
17/08/2020	First Crypto-Mining Worm to Steal AWS Credentials		AWS	Actions on Objective
21/08/2020	Outlook “mail issues” phishing from Azure		Azure	Delivery and Exploitation
24/08/2020	DeathStalker targets the financial sector		GitHub, Google Plus, Imgur, Reddit, Tumblr, Twitter, YouTube, Wordpress	Command and Control
24/08/2020	Malicious Actors Target AWS Accounts		AWS	Delivery and Exploitation
25/08/2020	Attackers are hosting phishing landing pages on Box to bypass security controls		Box	Delivery and Exploitation
25/08/2020	Phishing attacks exploiting AWS		AWS	Delivery and Exploitation
26/08/2020	Blogspot Serves as a COVID-19 Scamming Hotspot		Blogspot	Delivery and Exploitation
31/08/2020	Phishing with Slack-Files.com		Slack	Delivery and Exploitation
02/09/2020	Phishing scam uses Sharepoint and One Note to go after passwords		Sharepoint, OneNote	Delivery and Exploitation
03/09/2020	New Email-Based Malware Campaigns Target Businesses		Google Sites	Delivery and Exploitation
25/09/2020	Microsoft Kills 18 Azure Accounts Tied to Nation-State Attacks		Azure, OneDrive, GitHub	Command and Control
29/09/2020	OAuth Consent Phishing Ramps Up with Microsoft Office 365 Attacks		Office 365 Application Suite	Actions on Objective
29/09/2020	Spear Phishing Campaign Delivers Buer and Bazaar Malware		Google Docs	Delivery and Exploitation
30/09/2020	Four npm packages found uploading user details on a GitHub page		GitHub	Command and Control
05/10/2020	Cryptojacker Targets Exposed Docker Daemon APIs		AWS	Actions on Objective
05/10/2020	Malware campaigns deliver payloads via obscure paste service		Paste.nre.com	Delivery and Exploitation
07/10/2020	Phishing emails lure victims with inside info on Trump's health		Google Docs	Delivery and Exploitation
07/10/2020	Phishing attack spoofs IRS COVID-19 relief to steal personal data		Sharepoint	Delivery and Exploitation
12/10/2020	BazarLoader used to deploy Ryuk ransomware on high-value targets		Google Docs	Delivery and Exploitation
16/10/2020	APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services		Github, Dropbox	Delivery and Exploitation/Command And Control
17/10/2020	Hackers now abuse BaseCamp for free malware hosting		Basecamp	Delivery and Exploitation
19/10/2020	Coinbase phishing hijacks Microsoft 365 accounts via OAuth app		Office 365 Application Suite	Actions on Objective
21/10/2020	LockBit uses automated attack tools to identify tasty targets		Google Docs	Delivery and Exploitation
22/10/2020	Microsoft Teams Impersonation		Google App Engine	Delivery and Exploitation
28/10/2020	Russian Turla hackers breach European government organization		Pastebin	Command and Control
29/10/2020	Firestarter Android Malware Abuses Google Firebase Cloud Messaging		Google Firebase	Command and Control
30/10/2020	Beware of Google Docs Spam		Google Docs	Delivery and Exploitation
03/11/2020	Google Forms Abused to Phish AT&T Credentials		Google Forms	Delivery and Exploitation
05/11/2020	Reverse shell botnet Gitpaste-12 spreads via GitHub and Pastebin		Github, Pastebin	Delivery and Exploitation
09/11/2020	Phishing Campaign Tied to Trickbot Gang		Google Docs	Delivery and Exploitation
13/11/2020	TroubleGrabber: Stealing Credentials Through Discord		GitHub	Delivery and Exploitation
17/11/2020	LightBot: TrickBot’s new reconnaissance malware for high-value targets		Google Docs, Google Drive	Delivery and Exploitation
20/11/2020	Phishing lures employees with fake 'back to work' internal memos		Sharepoint	Delivery and Exploitation
26/11/2020	Digitally Signed Bandook Trojan Reemerges in Global Spy Campaign		AWS, BitBucket, Dropbox	Delivery and Exploitation
26/11/2020	Massive Zoom phishing targets Thanksgiving meetings		Google App Engine	Delivery and Exploitation
27/11/2020	Office 365 phishing abuses Oracle and Amazon cloud services		AWS, Oracle	Delivery and Exploitation
02/12/2020	New backdoor used by Turla to exfiltrate stolen documents to Dropbox		Dropbox	Command and Control
09/12/2020	New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign		Dropbox, Google Drive, Facebook, Github	Delivery and Exploitation/Command And Control
09/12/2020	njRAT using Pastebin as command server		Pastebin	Command and Control
14/12/2020	Gitpaste-12 Worm Widens Set of Exploits in New Attacks		GitHub, Pastebin	Delivery and Exploitation/Command And Control
16/12/2020	NSA warns of hackers forging cloud authentication information		Azure	Actions on Objective
28/12/2020	GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic		GitHub, Imgur	Delivery and Exploitation
Date	Description	Link	Service	Type

Related Posts

Like this:

Leave a Reply Cancel reply