I am starting a new project to track cloud-native threats, similarly to what I have done in 2020, with an interactive timeline. As soon as I collect more data I will start to generate some statistics. As usual the information is collected from open sources such as blogs, online news outlets, etc.
The campaigns are classified in four categories: Delivery and Exploitation (the cloud service is exploited to deliver a malware strain or a phishing page), Actions on Objective (the cloud service is exploited to steal data, or launch other attacks), Command and Control (the cloud service is exploited as a command and control infrastructure), and Data Exfiltration (the cloud service is used as a drop zone for the exfiltrated data).
Clicking on each box, whose logo shows the exploited service, opens a pop-up window with the details of the campaign, including the link to the orginal article (at the bottom of the window).
Of course if you have news of any similar campaign that I have omitted, feel free to let me know! And of course follow @paulsparrows on Twitter and LinkedIn for the latest updates.
Date
Description
Link
Service
Type
Motivation
03/01/2021
Phishing on Firebase
Google Firebase
Delivery and Exploitation
Cyber Crime
04/01/2021
Researchers Disclose Details of FIN7 Hacking Group's Malware
Microsoft Sharepoint
Delivery and Exploitation
Cyber Crime
05/01/2021
Operation ElectroRAT: Attacker Creates Fake Companies to Drain Your Crypto Wallets
Pastebin
Command and Control
Cyber Crime
08/01/2021
A crypto-mining botnet is now stealing Docker and AWS credentials
AWS
Actions on Objective
Cyber Crime
12/01/2021
Chimera' Threat Group Abuses Microsoft & Google Cloud Services
Microsoft Azure, Google App Engine
Command and Control
Cyber Espionage
12/01/2021
Chimera' Threat Group Abuses Microsoft & Google Cloud Services
Microsoft OneDrive, Google Drive, Dropbox
Data Exfiltration
Cyber Espionage
12/01/2021
Coronavirus Screening and Testing Phishing Emails, and a Sense of Urgency Among Employees
Google Forms
Delivery and Exploitation
Cyber Crime
13/01/2021
Hancitor activity resumes after a hoilday break
Google Docs
Delivery and Exploitation
Cyber Crime
14/01/2021
The data of 35 million users from Juspay goes on sales in the dark web
AWS
Actions on Objective
Cyber Crime
14/01/2021
DHL Phishing on Google Firebase
Google Firebase
Delivery and Exploitation
Cyber Crime
14/01/2021
Winnti APT continues to target game developers in Russia and abroad
Microsoft Azure, Google Docs
Delivery and Exploitation/Command And Control
Cyber Espionage
15/01/2021
Mobile malware with command and control on Dropbox
Dropbox
Command and Control
Cyber Crime
19/01/2021
GuLoader Campaign in italy
Google Drive
Delivery and Exploitation
Cyber Crime
19/01/2021
Malwarebytes confirms that the threat actor behind the SolarWinds supply-chain attack were able to gain access to some company emails.
Microsoft Office 365 Suite
Actions on Objective
Cyber Espionage
19/01/2021
ShinyHunters share a database that he claims was stolen from Pixlr while he breached the 123rf stock photo site. Pixlr and 123rf are both owned by the same company, Inmagine.
AWS
Actions on Objective
Cyber Crime
20/01/2021
Thousands of BEC lures use Google Forms in recon campaign
Google Forms
Delivery and Exploitation
Cyber Crime
24/01/2021
The hacking group ShinyHunters leaks personal information of over 2 million MeetMindful users.
AWS
Actions on Objective
Cyber Crime
29/01/2021
Threat actors are sending phishing emails impersonating a Small Business Administration (SBA) lender
Microsoft Forms
Delivery and Exploitation
Cyber Crime
03/02/2021
New 'Hildegard' Malware Targets Kubernetes Systems
N/A
Actions on Objective
Cyber Crime
04/02/2021
A savvy phishing campaign manages to evade native Microsoft security defenses, looking to steal O365 credentials.
Google Firebase
Delivery and Exploitation
Cyber Crime
05/02/2021
Microsoft warns of increasing OAuth Office 365 phishing attacks
Microsoft Office 365 Suite
Actions on Objective
Cyber Crime
05/02/2021
Microsoft warns of increasing OAuth Office 365 phishing attacks
Microsoft Office 365 Suite
Actions on Objective
Cyber Crime
12/02/2021
New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign
Google Drive
Delivery and Exploitation
Cyber Crime
16/02/2021
A malvertising group known as "ScamClub" exploited a zero-day vulnerability in WebKit-based browsers to inject malicious payloads that redirected users to fraudulent websites gift card scams.
AWS
Delivery and Exploitation
Cyber Crime
16/02/2021
Latin American Javali trojan weaponizing Avira antivirus legitimate injector to implant malware
AWS, Google Docs
Delivery and Exploitation
Cyber Crime
17/02/2021
Phishers tricking users via fake LinkedIn Private Shared Document
Google App Engine
Delivery and Exploitation
Cyber Crime
18/02/2021
Hackers abuse Google Apps Script to steal credit cards, bypass CSP
Google Apps Script
Delivery and Exploitation
Cyber Crime
18/02/2021
New Silver Sparrow adware targeting Apple M1 Processors
AWS
Command and Control
Cyber Crime
23/02/2021
10K Microsoft Email Users Hit in FedEx Phishing Attack
Google Firebase
Delivery and Exploitation
Cyber Crime
23/02/2021
Surge in ZLoader Attacks Observed
WeTransfer, Google Docs, Box
Delivery and Exploitation
Cyber Crime
24/02/2021
Cybercriminals Target QuickBooks Databases
Google Cloud, AWS
Data Exfiltration
Cyber Crime
01/03/2021
New Hancitor Campaign with fake DocuSign docs
Google Docs
Delivery and Exploitation
Cyber Crime
01/03/2021
Ticketcounter suffers a data breach affecting 1.9 million addresses stolen from an unsecured staging server on Azure
Microsoft Azure
Actions on Objective
Cyber Crime
01/03/2021
Researchers from Sonatype identify new npm “dependency confusion” packages named after repositories, namespaces or components used by popular companies such as Amazon, Zillow, Lyft, and Slack.
AWS, Slack
Actions on Objective
Cyber Crime
04/03/2021
Researchers from WMC Global discover a phishing campaign targeting users of Outlook Web Access and Office 365 services, relying on trusted domains such as SendGrid.
Google App Engine
Delivery and Exploitation
Cyber Crime
04/03/2021
Researchers from Aqua Security discover a campaign exploiting the automated build processes of BitBucket and Docker Hub to mine cyptocurrency.
BitBucket
Actions on Objective
Cyber Crime
09/03/2021
Researchers from Check Point discover Clast82, a new Dropper spreading via the official Google Play store, which downloads and installs the AlienBot Banker and MRAT. Google consequently removes 10 apps after 15,000 installs
Google Firebase, GitHub
Delivery and Exploitation/Command And Control
Cyber Crime
14/03/2021
A new campaign distributes malware via a fake Telegram update.
BitBucket
Delivery and Exploitation
Cyber Crime
16/03/2021
A new campaign exploits the American Rescue Plan to deliver the Dridex trojan
Dropbox
Delivery and Exploitation
Cyber Crime
19/03/2021
New phishing campaign targets taxpayer credentials
Imgur
Delivery and Exploitation
Cyber Crime
23/03/2021
Researchers from Microsoft discover a new version of the Compact campaign abusing new legitimate services to bypass secure email gateways.
Google App Engine
Delivery and Exploitation
Cyber Crime
23/03/2021
Private aviation services provider Solairus Aviation announces that some employee and customer data was compromised in a security incident at third-party vendor Avianis.
Microsoft Azure
Actions on Objective
Cyber Crime
26/03/2021
Researchers from Palo Alto Networks discover more than two-dozen containers on Docker Hub, downloaded more than 20 million times, and infected with malware for cryptojacking operations spanning at least two years.
>1
Actions on Objective
Cyber Crime
30/03/2021
Private information of nearly 100 million users of the Indian mobile payments startup MobiKwik is leaked in the dark web
AWS
Actions on Objective
Cyber Crime
01/04/2021
New campaign distributing Hancitor via Google Docs.
Google Docs
Delivery and Exploitation
Cyber Crime
02/04/2021
GitHub Actions is currently being abused by attackers to mine cryptocurrency on GitHub's servers in an automated attack.
GitHub, GitLab
Delivery and Exploitation/Actions on Objective
Cyber Crime
05/04/2021
More_eggs backdoor distributed via LinkedIn, downlaods the payload from AWS
AWS, LinkedIn
Delivery and Exploitation
Cyber Crime
06/04/2021
Researchers from ESET reveal the details of Janeleiro, a trojan focused in Brazil.
GitHub
Command and Control
Cyber Crime
06/04/2021
Researchers from Cado Security reveal th details of a cyber espionage campaign targeting political opponents in Palestine using voice changing software.
Google Drive
Delivery and Exploitation
Cyber Espionage
08/04/2021
Resarchers from Zscaler reveal the details of a malicious Android app disguised as a fake TikTok app targeting users of the JIO carrier in India.
GitHub
Delivery and Exploitation
Cyber Crime
11/04/2021
Indian stock trading firm Upstox reveals to users that it has suffered a serious security breach that may have seen unauthorised criminal access to millions of customers’ personal information.
AWS
Actions on Objective
Cyber Crime
13/04/2021
More than 100,000 web pages hosted by Google Sites are being used to trick netizens into opening documents delivering a RAT via search redirection.
Google Sites
Delivery and Exploitation
Cyber Crime
14/04/2021
New campaign involving multiple infostealer RAT families and miner malware.
Pastebin
Delivery and Exploitation
Cyber Crime
15/04/2021
Several waves of a spam-driven campaign distributing BazarLoader via Slack and BaseCamp.
Slack, BaseCamp
Delivery and Exploitation
Cyber Crime
21/04/2021
A novel email-based campaign targets Bloomberg clients with RATs
Pastebin
Delivery and Exploitation
Cyber Crime
22/04/2021
Arid Viper, a group linked to the cyber arm of Hamas, targets government officials, student groups, and security forces.
Google Sites, Google Firebase
Delivery and Exploitation/Command And Control
Cyber Espionage
22/04/2021
Toxic Eye using Telegram as command and control.
Telegram
Command and Control
Cyber Crime
26/04/2021
Hacker dumps sensitive household records of 250M Americans
AWS
Actions on Objective
Cyber Crime
04/05/2021
Banking Trojan evolves from distribution through porn to phishing schemes
Google Docs
Command and Control
Cyber Crime
11/05/2021
Microsoft: Threat actors target aviation orgs with new malware
Pastebin
Delivery and Exploitation
Cyber Crime
12/05/2021
Trust Wallet, MetaMask crypto wallets targeted by new support scam
Google Docs
Delivery and Exploitation
Cyber Crime
18/05/2021
Unpatched servers in the free tiers of cloud computing platforms.
20/20 Eye Care Network and 20/20 Hearing Care Network
AWS
Actions on Objective
Cyber Crime
07/06/2021
First known malware targeting Windows containers
>1
Actions on Objective
Cyber Crime
09/06/2021
Microsoft warns of an ongoing series of attacks compromising Kubernetes clusters
>1
Actions on Objective
Cyber Crime
10/06/2021
Electronic Arts is hacked via a Slack stolen cookie.
Slack
Actions on Objective
Cyber Crime
11/06/2021
Microsoft discovers a series of attacks that use SEO poisoning to deliver a remote access trojan (RAT)
AWS
Delivery and Exploitation
Cyber Crime
17/06/2021
TA402 APT group (aka Molerats and GazaHackerTeam) is back after two-month of silence and is targeting governments in the Middle East.
Google Apps Script, Dropbox, Pastebin
Delivery and Exploitation/Command And Control
Cyber Espionage
17/06/2021
New campaign abusing Google Docs to deliver phishing pages
Google Docs
Delivery and Exploitation
Cyber Crime
29/06/2021
New campaign from Aggah
Blogspot
Delivery and Exploitation
Cyber Espionage
01/07/2021
Chinese cyberspies target the Afghan National Security Council
Dropbox
Command and Control
Cyber Espionage
20/07/2021
Researchers from Intezer reveal that threat actors are abusing misconfigured Argo Workflows instances to deploy cryptocurrency miners on Kubernetes clusters.
Argo Workflows
Actions on Objective
Cyber Crime
22/07/2021
Researchers from Avanan reveal the details of a phishing campaign hosting the content on Milanote, an application defined as the "Evernote for Creatives".
Milanote
Delivery and Exploitation
Cyber Crime
28/07/2021
Researchers from ProofPoint reveal the details of a new campaign carried out by the Iranian group Tortoiseshell to target employees and contractors working in defence and aerospace.
Microsoft OneDrive
Delivery and Exploitation
Cyber Espionage
29/07/2021
Security researchers from ThreatFabric reveal the dettails of Vultur, a novel piece of Android malware that uses the VNC technology to record and broadcast a victim’s smartphone activity.
Google Firebase
Command and Control
Cyber Crime
31/07/2021
Microsoft's Security Intelligence team issues an alert to Office 365 users and admins to be on the lookout for a "crafty" phishing email with spoofed sender addresses using phishing pages hosted on Google Cloud and Sharepoint.
Google App Engine, Microsoft Sharepoint
Delivery and Exploitation
Cyber Crime
03/08/2021
Researchers from Group-IB reveal the details of a series of campaigns carried out by two Chinese threat actors (TA428 and TaskMasters) targeting Russian government agencies.
Yandex Disk
Command and Control
Cyber Espionage
09/08/2021
Splunk spots malware targeting Windows Server on AWS to mine Monero
AWS
Actions on Objective
Cyber Crime
27/08/2021
Fake DMCA and DDoS complaints lead to BazaLoader malware
Google Drive
Delivery and Exploitation
Malware
31/08/2021
Researchers from Cisco Talos identify multiple campaigns distributing trojanaized versions of the Honeygain proxyware.
Dropbox
Delivery and Exploitation
Cyber Crime
16/09/2021
Threat actors started actively exploiting the critical Azure OMIGOD vulnerabilities two days after Microsoft disclosed them during this month's Patch Tuesday.
Microsoft Azure
Actions on Objective
Cyber Crime
17/09/2021
Cryptocurrency launchpad hit by $3 million supply chain attack
GitHub
Actions on Objective
Cyber Crime
17/09/2021
Rsearchers from ESET reveal the details of Numando, a Trojan active in Brazil, Mexico, and Spain.
Youtube, Pastebin
Command and Control
Cyber Crime
23/09/2021
Researchers from Cisco Talos reveal the details of "Operation Armor Piercer”, a series of malicious attacks targeting Indian government and military personnel using commercial remote access Trojans (RATs) such as Netwire and Warzone (AKA AveMaria).
Dropbox, Pastebin
Delivery and Exploitation
Cyber Espionage
04/10/2021
Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack
Pastebin
Delivery and Exploitation
Cyber Crime
06/10/2021
Researchrers from Cybereason discover Operation GhostShell, a highly-targeted cyber espionage campaign targeting the Aerospace and Telecommunications industries mainly in the Middle East, with additional victims in the U.S., Russia and Europe.
Dropbox
Command and Control
Cyber Espionage
08/10/2021
Researchers from Trend Micro discover a new version of a Linux crypto-mining malware previously used to target Docker containers in 2020 now focusing on Huawei Cloud.
Huawei Cloud
Actions on Objective
Cyber Crime
11/10/2021
Thingiverse, a website dedicated to sharing user-created digital design files, reportedly leaks a 36GB backup file that contains 228,000 unique email addresses and other personally identifiable information.
AWS
Actions on Objective
Cyber Crime
13/10/2021
Researchers from IBM X-Force reveal that operators behind the infamous TrickBot (ITG23 and Wizard Spider) malware have resurfaced with new distribution channels to deliver malicious payloads, such as Conti ransomware.
Zoho
Delivery and Exploitation
Cyber Crime
03/11/2021
Stealthier version of Mekotio banking trojan spotted in the wild
welld one
Pingback: Cloud-Native Threats in 2021 – HACKMAGEDDON – Nanda Parbat
Pingback: Veille Cyber N319 – 25 janvier 2021 |