Cloud-Native Threats in 2021

Last Updated on February 14, 2022

I am starting a new project to track cloud-native threats, similarly to what I have done in 2020, with an interactive timeline. As soon as I collect more data I will start to generate some statistics. As usual the information is collected from open sources such as blogs, online news outlets, etc.

The campaigns are classified in four categories: Delivery and Exploitation (the cloud service is exploited to deliver a malware strain or a phishing page), Actions on Objective (the cloud service is exploited to steal data, or launch other attacks), Command and Control (the cloud service is exploited as a command and control infrastructure), and Data Exfiltration (the cloud service is used as a drop zone for the exfiltrated data).

Clicking on each box, whose logo shows the exploited service, opens a pop-up window with the details of the campaign, including the link to the orginal article (at the bottom of the window).

Of course if you have news of any similar campaign that I have omitted, feel free to let me know! And of course follow @paulsparrows on Twitter and LinkedIn for the latest updates.

Date	Description	Link	Service	Type	Motivation
03/01/2021	Phishing on Firebase		Google Firebase	Delivery and Exploitation	Cyber Crime
04/01/2021	Researchers Disclose Details of FIN7 Hacking Group's Malware		Microsoft Sharepoint	Delivery and Exploitation	Cyber Crime
05/01/2021	Operation ElectroRAT: Attacker Creates Fake Companies to Drain Your Crypto Wallets		Pastebin	Command and Control	Cyber Crime
08/01/2021	A crypto-mining botnet is now stealing Docker and AWS credentials		AWS	Actions on Objective	Cyber Crime
12/01/2021	Chimera' Threat Group Abuses Microsoft & Google Cloud Services		Microsoft Azure, Google App Engine	Command and Control	Cyber Espionage
12/01/2021	Chimera' Threat Group Abuses Microsoft & Google Cloud Services		Microsoft OneDrive, Google Drive, Dropbox	Data Exfiltration	Cyber Espionage
12/01/2021	Coronavirus Screening and Testing Phishing Emails, and a Sense of Urgency Among Employees		Google Forms	Delivery and Exploitation	Cyber Crime
13/01/2021	Hancitor activity resumes after a hoilday break		Google Docs	Delivery and Exploitation	Cyber Crime
14/01/2021	The data of 35 million users from Juspay goes on sales in the dark web		AWS	Actions on Objective	Cyber Crime
14/01/2021	DHL Phishing on Google Firebase		Google Firebase	Delivery and Exploitation	Cyber Crime
14/01/2021	Winnti APT continues to target game developers in Russia and abroad		Microsoft Azure, Google Docs	Delivery and Exploitation/Command And Control	Cyber Espionage
15/01/2021	Mobile malware with command and control on Dropbox		Dropbox	Command and Control	Cyber Crime
19/01/2021	GuLoader Campaign in italy		Google Drive	Delivery and Exploitation	Cyber Crime
19/01/2021	Malwarebytes confirms that the threat actor behind the SolarWinds supply-chain attack were able to gain access to some company emails.		Microsoft Office 365 Suite	Actions on Objective	Cyber Espionage
19/01/2021	ShinyHunters share a database that he claims was stolen from Pixlr while he breached the 123rf stock photo site. Pixlr and 123rf are both owned by the same company, Inmagine.		AWS	Actions on Objective	Cyber Crime
20/01/2021	Thousands of BEC lures use Google Forms in recon campaign		Google Forms	Delivery and Exploitation	Cyber Crime
24/01/2021	The hacking group ShinyHunters leaks personal information of over 2 million MeetMindful users.		AWS	Actions on Objective	Cyber Crime
29/01/2021	Threat actors are sending phishing emails impersonating a Small Business Administration (SBA) lender		Microsoft Forms	Delivery and Exploitation	Cyber Crime
03/02/2021	New 'Hildegard' Malware Targets Kubernetes Systems		N/A	Actions on Objective	Cyber Crime
04/02/2021	A savvy phishing campaign manages to evade native Microsoft security defenses, looking to steal O365 credentials.		Google Firebase	Delivery and Exploitation	Cyber Crime
05/02/2021	Microsoft warns of increasing OAuth Office 365 phishing attacks		Microsoft Office 365 Suite	Actions on Objective	Cyber Crime
05/02/2021	Microsoft warns of increasing OAuth Office 365 phishing attacks		Microsoft Office 365 Suite	Actions on Objective	Cyber Crime
12/02/2021	New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign		Google Drive	Delivery and Exploitation	Cyber Crime
16/02/2021	A malvertising group known as "ScamClub" exploited a zero-day vulnerability in WebKit-based browsers to inject malicious payloads that redirected users to fraudulent websites gift card scams.		AWS	Delivery and Exploitation	Cyber Crime
16/02/2021	Latin American Javali trojan weaponizing Avira antivirus legitimate injector to implant malware		AWS, Google Docs	Delivery and Exploitation	Cyber Crime
17/02/2021	Phishers tricking users via fake LinkedIn Private Shared Document		Google App Engine	Delivery and Exploitation	Cyber Crime
18/02/2021	Hackers abuse Google Apps Script to steal credit cards, bypass CSP		Google Apps Script	Delivery and Exploitation	Cyber Crime
18/02/2021	New Silver Sparrow adware targeting Apple M1 Processors		AWS	Command and Control	Cyber Crime
23/02/2021	10K Microsoft Email Users Hit in FedEx Phishing Attack		Google Firebase	Delivery and Exploitation	Cyber Crime
23/02/2021	Surge in ZLoader Attacks Observed		WeTransfer, Google Docs, Box	Delivery and Exploitation	Cyber Crime
24/02/2021	Cybercriminals Target QuickBooks Databases		Google Cloud, AWS	Data Exfiltration	Cyber Crime
01/03/2021	New Hancitor Campaign with fake DocuSign docs		Google Docs	Delivery and Exploitation	Cyber Crime
01/03/2021	Ticketcounter suffers a data breach affecting 1.9 million addresses stolen from an unsecured staging server on Azure		Microsoft Azure	Actions on Objective	Cyber Crime
01/03/2021	Researchers from Sonatype identify new npm “dependency confusion” packages named after repositories, namespaces or components used by popular companies such as Amazon, Zillow, Lyft, and Slack.		AWS, Slack	Actions on Objective	Cyber Crime
04/03/2021	Researchers from WMC Global discover a phishing campaign targeting users of Outlook Web Access and Office 365 services, relying on trusted domains such as SendGrid.		Google App Engine	Delivery and Exploitation	Cyber Crime
04/03/2021	Researchers from Aqua Security discover a campaign exploiting the automated build processes of BitBucket and Docker Hub to mine cyptocurrency.		BitBucket	Actions on Objective	Cyber Crime
09/03/2021	Researchers from Check Point discover Clast82, a new Dropper spreading via the official Google Play store, which downloads and installs the AlienBot Banker and MRAT. Google consequently removes 10 apps after 15,000 installs		Google Firebase, GitHub	Delivery and Exploitation/Command And Control	Cyber Crime
14/03/2021	A new campaign distributes malware via a fake Telegram update.		BitBucket	Delivery and Exploitation	Cyber Crime
16/03/2021	A new campaign exploits the American Rescue Plan to deliver the Dridex trojan		Dropbox	Delivery and Exploitation	Cyber Crime
19/03/2021	New phishing campaign targets taxpayer credentials		Imgur	Delivery and Exploitation	Cyber Crime
23/03/2021	Researchers from Microsoft discover a new version of the Compact campaign abusing new legitimate services to bypass secure email gateways.		Google App Engine	Delivery and Exploitation	Cyber Crime
23/03/2021	Private aviation services provider Solairus Aviation announces that some employee and customer data was compromised in a security incident at third-party vendor Avianis.		Microsoft Azure	Actions on Objective	Cyber Crime
26/03/2021	Researchers from Palo Alto Networks discover more than two-dozen containers on Docker Hub, downloaded more than 20 million times, and infected with malware for cryptojacking operations spanning at least two years.		>1	Actions on Objective	Cyber Crime
30/03/2021	Private information of nearly 100 million users of the Indian mobile payments startup MobiKwik is leaked in the dark web		AWS	Actions on Objective	Cyber Crime
01/04/2021	New campaign distributing Hancitor via Google Docs.		Google Docs	Delivery and Exploitation	Cyber Crime
02/04/2021	GitHub Actions is currently being abused by attackers to mine cryptocurrency on GitHub's servers in an automated attack.		GitHub, GitLab	Delivery and Exploitation/Actions on Objective	Cyber Crime
05/04/2021	More_eggs backdoor distributed via LinkedIn, downlaods the payload from AWS		AWS, LinkedIn	Delivery and Exploitation	Cyber Crime
06/04/2021	Researchers from ESET reveal the details of Janeleiro, a trojan focused in Brazil.		GitHub	Command and Control	Cyber Crime
06/04/2021	Researchers from Cado Security reveal th details of a cyber espionage campaign targeting political opponents in Palestine using voice changing software.		Google Drive	Delivery and Exploitation	Cyber Espionage
08/04/2021	Resarchers from Zscaler reveal the details of a malicious Android app disguised as a fake TikTok app targeting users of the JIO carrier in India.		GitHub	Delivery and Exploitation	Cyber Crime
11/04/2021	Indian stock trading firm Upstox reveals to users that it has suffered a serious security breach that may have seen unauthorised criminal access to millions of customers’ personal information.		AWS	Actions on Objective	Cyber Crime
13/04/2021	More than 100,000 web pages hosted by Google Sites are being used to trick netizens into opening documents delivering a RAT via search redirection.		Google Sites	Delivery and Exploitation	Cyber Crime
14/04/2021	New campaign involving multiple infostealer RAT families and miner malware.		Pastebin	Delivery and Exploitation	Cyber Crime
15/04/2021	Several waves of a spam-driven campaign distributing BazarLoader via Slack and BaseCamp.		Slack, BaseCamp	Delivery and Exploitation	Cyber Crime
21/04/2021	A novel email-based campaign targets Bloomberg clients with RATs		Pastebin	Delivery and Exploitation	Cyber Crime
22/04/2021	Arid Viper, a group linked to the cyber arm of Hamas, targets government officials, student groups, and security forces.		Google Sites, Google Firebase	Delivery and Exploitation/Command And Control	Cyber Espionage
22/04/2021	Toxic Eye using Telegram as command and control.		Telegram	Command and Control	Cyber Crime
26/04/2021	Hacker dumps sensitive household records of 250M Americans		AWS	Actions on Objective	Cyber Crime
04/05/2021	Banking Trojan evolves from distribution through porn to phishing schemes		Google Docs	Command and Control	Cyber Crime
11/05/2021	Microsoft: Threat actors target aviation orgs with new malware		Pastebin	Delivery and Exploitation	Cyber Crime
12/05/2021	Trust Wallet, MetaMask crypto wallets targeted by new support scam		Google Docs	Delivery and Exploitation	Cyber Crime
18/05/2021	Unpatched servers in the free tiers of cloud computing platforms.		GitHub, GitLab, Microsoft Azure, TravisCI, LayerCI, CircleCI, Render, CloudBees CodeShip, Sourcehut, Okteto	Actions on Objective	Cyber Crime
25/05/2021	Misconfigured Kubernetes clusters		>1	Actions on Objective	Cyber Crime
28/05/2021	20/20 Eye Care Network and 20/20 Hearing Care Network		AWS	Actions on Objective	Cyber Crime
07/06/2021	First known malware targeting Windows containers		>1	Actions on Objective	Cyber Crime
09/06/2021	Microsoft warns of an ongoing series of attacks compromising Kubernetes clusters		>1	Actions on Objective	Cyber Crime
10/06/2021	Electronic Arts is hacked via a Slack stolen cookie.		Slack	Actions on Objective	Cyber Crime
11/06/2021	Microsoft discovers a series of attacks that use SEO poisoning to deliver a remote access trojan (RAT)		AWS	Delivery and Exploitation	Cyber Crime
17/06/2021	TA402 APT group (aka Molerats and GazaHackerTeam) is back after two-month of silence and is targeting governments in the Middle East.		Google Apps Script, Dropbox, Pastebin	Delivery and Exploitation/Command And Control	Cyber Espionage
17/06/2021	New campaign abusing Google Docs to deliver phishing pages		Google Docs	Delivery and Exploitation	Cyber Crime
29/06/2021	New campaign from Aggah		Blogspot	Delivery and Exploitation	Cyber Espionage
01/07/2021	Chinese cyberspies target the Afghan National Security Council		Dropbox	Command and Control	Cyber Espionage
20/07/2021	Researchers from Intezer reveal that threat actors are abusing misconfigured Argo Workflows instances to deploy cryptocurrency miners on Kubernetes clusters.		Argo Workflows	Actions on Objective	Cyber Crime
22/07/2021	Researchers from Avanan reveal the details of a phishing campaign hosting the content on Milanote, an application defined as the "Evernote for Creatives".		Milanote	Delivery and Exploitation	Cyber Crime
28/07/2021	Researchers from ProofPoint reveal the details of a new campaign carried out by the Iranian group Tortoiseshell to target employees and contractors working in defence and aerospace.		Microsoft OneDrive	Delivery and Exploitation	Cyber Espionage
29/07/2021	Security researchers from ThreatFabric reveal the dettails of Vultur, a novel piece of Android malware that uses the VNC technology to record and broadcast a victim’s smartphone activity.		Google Firebase	Command and Control	Cyber Crime
31/07/2021	Microsoft's Security Intelligence team issues an alert to Office 365 users and admins to be on the lookout for a "crafty" phishing email with spoofed sender addresses using phishing pages hosted on Google Cloud and Sharepoint.		Google App Engine, Microsoft Sharepoint	Delivery and Exploitation	Cyber Crime
03/08/2021	Researchers from Group-IB reveal the details of a series of campaigns carried out by two Chinese threat actors (TA428 and TaskMasters) targeting Russian government agencies.		Yandex Disk	Command and Control	Cyber Espionage
09/08/2021	Splunk spots malware targeting Windows Server on AWS to mine Monero		AWS	Actions on Objective	Cyber Crime
27/08/2021	Fake DMCA and DDoS complaints lead to BazaLoader malware		Google Drive	Delivery and Exploitation	Malware
31/08/2021	Researchers from Cisco Talos identify multiple campaigns distributing trojanaized versions of the Honeygain proxyware.		Dropbox	Delivery and Exploitation	Cyber Crime
16/09/2021	Threat actors started actively exploiting the critical Azure OMIGOD vulnerabilities two days after Microsoft disclosed them during this month's Patch Tuesday.		Microsoft Azure	Actions on Objective	Cyber Crime
17/09/2021	Cryptocurrency launchpad hit by $3 million supply chain attack		GitHub	Actions on Objective	Cyber Crime
17/09/2021	Rsearchers from ESET reveal the details of Numando, a Trojan active in Brazil, Mexico, and Spain.		Youtube, Pastebin	Command and Control	Cyber Crime
23/09/2021	Researchers from Cisco Talos reveal the details of "Operation Armor Piercer”, a series of malicious attacks targeting Indian government and military personnel using commercial remote access Trojans (RATs) such as Netwire and Warzone (AKA AveMaria).		Dropbox, Pastebin	Delivery and Exploitation	Cyber Espionage
04/10/2021	Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack		Pastebin	Delivery and Exploitation	Cyber Crime
06/10/2021	Researchrers from Cybereason discover Operation GhostShell, a highly-targeted cyber espionage campaign targeting the Aerospace and Telecommunications industries mainly in the Middle East, with additional victims in the U.S., Russia and Europe.		Dropbox	Command and Control	Cyber Espionage
08/10/2021	Researchers from Trend Micro discover a new version of a Linux crypto-mining malware previously used to target Docker containers in 2020 now focusing on Huawei Cloud.		Huawei Cloud	Actions on Objective	Cyber Crime
11/10/2021	Thingiverse, a website dedicated to sharing user-created digital design files, reportedly leaks a 36GB backup file that contains 228,000 unique email addresses and other personally identifiable information.		AWS	Actions on Objective	Cyber Crime
13/10/2021	Researchers from IBM X-Force reveal that operators behind the infamous TrickBot (ITG23 and Wizard Spider) malware have resurfaced with new distribution channels to deliver malicious payloads, such as Conti ransomware.		Zoho	Delivery and Exploitation	Cyber Crime
20/10/2021	Researchers from Google Threat Analysis Group reveal to have blocked 1.6 million phishing emails since May 2021 that were part of a malware campaign to hijack YouTube accounts and promote cryptocurrency scams.		Google Drive	Delivery and Exploitation	Cyber Crime
21/10/2021	Researchers from Ahnlab discover an ongoing malware distribution campaign targeting South Korea disguising RATs as an adult game shared via webhards and torrents.		Discord	Delivery and Exploitation	Cyber Crime
21/10/2021	Researchers from Netskope disvover a campaign distributing the Warzone RAT via Discord		Discord	Delivery and Exploitation	Cyber Crime
26/10/2021	Researchers at Qihoo 360 discover an ongoing Android spyware campaign targeting Israeli users since 2018.		Google Drive	Delivery and Exploitation	Cyber Crime
26/10/2021	Researchers from INKY discover a new phishing campaign in which threat actors manipulate Craigslist email system to send fraudulent violation notifications, spreading malware.		Microsoft OneDrive	Delivery and Exploitation	Cyber Crime
28/10/2021	Researchers from Proofpoint discover a prolific cybercrime group using the popularity of Netflix hit "Squid Game" to spread the Dridex malware.		Discord	Delivery and Exploitation	Cyber Crime
02/11/2021	Researchers from Malwarebytes discover an active phishing campaign promoting via Discord and targeting Steam gamers.		Discord	Delivery and Exploitation	Cyber Crime
03/11/2021	Stealthier version of Mekotio banking trojan spotted in the wild		Microsoft Azure	Delivery and Exploitation	Cyber Crime
03/11/2021	Researchers from Cisco Talos reveal the details of Tortilla, a new threat actor hacking Microsoft Exchange servers and breaching corporate networks using the ProxyShell vulnerability to deploy the Babuk Ransomware.		Pastebin	Delivery and Exploitation	Cyber Crime
04/11/2021	Researchers from Cofense discover a new phishing campaign pretending to come from a supplier and infecting the users with the MirCop ransomware.		Google Drive	Delivery and Exploitation	Cyber Crime
04/11/2021	Threat actors are exploiting a security flaw in GitLab self-hosted servers (CVE-2021-22205) to assemble botnets and launch gigantic distributed denial of service (DDoS) attacks, with some in excess of 1 terabit per second.		Gitlab	Actions on Objective	Cyber Crime
09/11/2021	Researchers from Trend Micro discover a new campaign of TeamTNT targeting poorly configured Docker servers to mine cryptocurrency.		>1	Actions on Objective	Cyber Crime
11/11/2021	Researchers from Sophos discover a new campaign abusing the Windows 10 App Installer to deploy the BazarLoader malware.		Azure, Google Cloud Storage	Delivery and Exploitation	Cyber Crime
18/11/2021	Researchers from SeclarityIO reveal that the PerSwaysion, widespread phishing campaign exploiting Microsoft Sway, SharePoint, and OneNote, is still active.		Microsoft Sway	Delivery and Exploitation	Cyber Crime
22/11/2021	An advisory published by the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) reveals that an advanced hacking group is actively targeting biomanufacturing facilities with a new custom malware called 'Tardigrade.'		AWS	Command and Control	Cyber Crime
23/11/2021	Researchers from Morphisec discover a new malware campaign from Discord using the Babadeda crypter to hide malware that targets the crypto, NFT, and DeFi communities.		Discord	Delivery and Exploitation	Cyber Crime
25/11/2021	charts.dft.gov.uk, a UK Department for Transport (DfT) website is caught serving porn today.		AWS	Actions on Objective	Cyber Crime
29/11/2021	Researchers from Kaspersky reveal the details of the latest campaign of APT37 targeting South Korean journalists, defectors, and human rights activists with a new malware dubbed Chinotto.		Microsoft OneDrive	Delivery and Exploitation	Cyber Espionage
05/12/2021	Cybercriminals are spamming website contact forms and discussion forums to distribute Excel XLL files that download and install the RedLine password and information-stealing malware.		Google Drive	Delivery and Exploitation	Cyber Crime
07/12/2021	The Cerber ransomware is back, as a new ransomware family with the old name, and targets Atlassian Confluence and GitLab servers using remote code execution vulnerabilities (respectively CVE-2021-26084 and CVE-2021-22205 for Confluence and GitLab)		Atlassian Confluence, BitBucket	Actions on Objective	Cyber Crime
10/12/2021	Researchers from Fortinet discover a new variant of the Agent Tesla malware distributed in an ongoing phishing campaign that relies on Microsoft PowerPoint documents laced with malicious macro code.		BitBucket	Delivery and Exploitation	Cyber Crime
15/12/2021	Researchers from IBM X-Force reveal that the MuddyWater group is deploying a newly discovered backdoor named 'Aclip' that abuses the Slack API for covert communications, targeting an unnamed Asian airline.		Slack	Command and Control	Cyber Espionage
17/12/2021	Researchers from Yori discover a campaign from Aggah targeting multiple victims worldwide.		BitBucket	Delivery and Exploitation	Cyber Espionage
21/12/2021	Researchers from Cado Security discover a new version of the Abcbot botnet, targeting insecure cloud instances running under Cloud Service Providers such as Tencent, Baidu, Alibaba Cloud, and Huawei cloud.		Alibaba, Huawei, Tencent, Baidu	Actions on Objective	Cyber Crime
24/12/2021	ONUS, one of the largest Vietnamese crypto trading platforms, suffers a cyber attack on its payment system running a vulnerable Log4j version. The threat actors approached ONUS to extort a $5 million sum.		AWS	Actions on Objective	Cyber Crime
Date	Description	Link	Service	Type	Motivation

Cloud-Native Threats in 2020

2020 Cyber Attacks Statistics

Tweets by paulsparrows

The Biggest Data Breaches of 2021

Related Posts

Like this:

This Post Has 3 Comments

Leave a Reply Cancel reply