I am starting a new project to track cloud-native threats, similarly to what I have done in 2020, with an interactive timeline. As soon as I collect more data I will start to generate some statistics. As usual the information is collected from open sources such as blogs, online news outlets, etc.
The campaigns are classified in four categories: Delivery and Exploitation (the cloud service is exploited to deliver a malware strain or a phishing page), Actions on Objective (the cloud service is exploited to steal data, or launch other attacks), Command and Control (the cloud service is exploited as a command and control infrastructure), and Data Exfiltration (the cloud service is used as a drop zone for the exfiltrated data).
Clicking on each box, whose logo shows the exploited service, opens a pop-up window with the details of the campaign, including the link to the orginal article (at the bottom of the window).
Of course if you have news of any similar campaign that I have omitted, feel free to let me know! And of course follow @paulsparrows on Twitter and LinkedIn for the latest updates.
Date
Description
Link
Service
Type
Motivation
03/01/2021
Phishing on Firebase
Google Firebase
Delivery and Exploitation
Cyber Crime
04/01/2021
Researchers Disclose Details of FIN7 Hacking Group's Malware
Microsoft Sharepoint
Delivery and Exploitation
Cyber Crime
05/01/2021
Operation ElectroRAT: Attacker Creates Fake Companies to Drain Your Crypto Wallets
Pastebin
Command and Control
Cyber Crime
08/01/2021
A crypto-mining botnet is now stealing Docker and AWS credentials
AWS
Actions on Objective
Cyber Crime
12/01/2021
Chimera' Threat Group Abuses Microsoft & Google Cloud Services
Microsoft Azure, Google App Engine
Command and Control
Cyber Espionage
12/01/2021
Chimera' Threat Group Abuses Microsoft & Google Cloud Services
Microsoft OneDrive, Google Drive, Dropbox
Data Exfiltration
Cyber Espionage
12/01/2021
Coronavirus Screening and Testing Phishing Emails, and a Sense of Urgency Among Employees
Google Forms
Delivery and Exploitation
Cyber Crime
13/01/2021
Hancitor activity resumes after a hoilday break
Google Docs
Delivery and Exploitation
Cyber Crime
14/01/2021
The data of 35 million users from Juspay goes on sales in the dark web
AWS
Actions on Objective
Cyber Crime
14/01/2021
DHL Phishing on Google Firebase
Google Firebase
Delivery and Exploitation
Cyber Crime
14/01/2021
Winnti APT continues to target game developers in Russia and abroad
Microsoft Azure, Google Docs
Delivery and Exploitation/Command And Control
Cyber Espionage
15/01/2021
Mobile malware with command and control on Dropbox
Dropbox
Command and Control
Cyber Crime
19/01/2021
GuLoader Campaign in italy
Google Drive
Delivery and Exploitation
Cyber Crime
19/01/2021
Malwarebytes confirms that the threat actor behind the SolarWinds supply-chain attack were able to gain access to some company emails.
Microsoft Office 365 Suite
Actions on Objective
Cyber Espionage
19/01/2021
ShinyHunters share a database that he claims was stolen from Pixlr while he breached the 123rf stock photo site. Pixlr and 123rf are both owned by the same company, Inmagine.
AWS
Actions on Objective
Cyber Crime
20/01/2021
Thousands of BEC lures use Google Forms in recon campaign
Google Forms
Delivery and Exploitation
Cyber Crime
24/01/2021
The hacking group ShinyHunters leaks personal information of over 2 million MeetMindful users.
AWS
Actions on Objective
Cyber Crime
29/01/2021
Threat actors are sending phishing emails impersonating a Small Business Administration (SBA) lender
Microsoft Forms
Delivery and Exploitation
Cyber Crime
03/02/2021
New 'Hildegard' Malware Targets Kubernetes Systems
N/A
Actions on Objective
Cyber Crime
04/02/2021
A savvy phishing campaign manages to evade native Microsoft security defenses, looking to steal O365 credentials.
Google Firebase
Delivery and Exploitation
Cyber Crime
05/02/2021
Microsoft warns of increasing OAuth Office 365 phishing attacks
Microsoft Office 365 Suite
Actions on Objective
Cyber Crime
05/02/2021
Microsoft warns of increasing OAuth Office 365 phishing attacks
Microsoft Office 365 Suite
Actions on Objective
Cyber Crime
12/02/2021
New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign
Google Drive
Delivery and Exploitation
Cyber Crime
16/02/2021
A malvertising group known as "ScamClub" exploited a zero-day vulnerability in WebKit-based browsers to inject malicious payloads that redirected users to fraudulent websites gift card scams.
AWS
Delivery and Exploitation
Cyber Crime
16/02/2021
Latin American Javali trojan weaponizing Avira antivirus legitimate injector to implant malware
AWS, Google Docs
Delivery and Exploitation
Cyber Crime
17/02/2021
Phishers tricking users via fake LinkedIn Private Shared Document
Google App Engine
Delivery and Exploitation
Cyber Crime
18/02/2021
Hackers abuse Google Apps Script to steal credit cards, bypass CSP
Google Apps Script
Delivery and Exploitation
Cyber Crime
18/02/2021
New Silver Sparrow adware targeting Apple M1 Processors
AWS
Command and Control
Cyber Crime
23/02/2021
10K Microsoft Email Users Hit in FedEx Phishing Attack
Google Firebase
Delivery and Exploitation
Cyber Crime
23/02/2021
Surge in ZLoader Attacks Observed
WeTransfer, Google Docs, Box
Delivery and Exploitation
Cyber Crime
24/02/2021
Cybercriminals Target QuickBooks Databases
Google Cloud, AWS
Data Exfiltration
Cyber Crime
01/03/2021
New Hancitor Campaign with fake DocuSign docs
Google Docs
Delivery and Exploitation
Cyber Crime
01/03/2021
Ticketcounter suffers a data breach affecting 1.9 million addresses stolen from an unsecured staging server on Azure
Microsoft Azure
Actions on Objective
Cyber Crime
01/03/2021
Researchers from Sonatype identify new npm “dependency confusion” packages named after repositories, namespaces or components used by popular companies such as Amazon, Zillow, Lyft, and Slack.
AWS, Slack
Actions on Objective
Cyber Crime
04/03/2021
Researchers from WMC Global discover a phishing campaign targeting users of Outlook Web Access and Office 365 services, relying on trusted domains such as SendGrid.
Google App Engine
Delivery and Exploitation
Cyber Crime
04/03/2021
Researchers from Aqua Security discover a campaign exploiting the automated build processes of BitBucket and Docker Hub to mine cyptocurrency.
BitBucket
Actions on Objective
Cyber Crime
09/03/2021
Researchers from Check Point discover Clast82, a new Dropper spreading via the official Google Play store, which downloads and installs the AlienBot Banker and MRAT. Google consequently removes 10 apps after 15,000 installs
Google Firebase, GitHub
Delivery and Exploitation/Command And Control
Cyber Crime
14/03/2021
A new campaign distributes malware via a fake Telegram update.
BitBucket
Delivery and Exploitation
Cyber Crime
16/03/2021
A new campaign exploits the American Rescue Plan to deliver the Dridex trojan
Dropbox
Delivery and Exploitation
Cyber Crime
19/03/2021
New phishing campaign targets taxpayer credentials
Imgur
Delivery and Exploitation
Cyber Crime
23/03/2021
Researchers from Microsoft discover a new version of the Compact campaign abusing new legitimate services to bypass secure email gateways.
Google App Engine
Delivery and Exploitation
Cyber Crime
23/03/2021
Private aviation services provider Solairus Aviation announces that some employee and customer data was compromised in a security incident at third-party vendor Avianis.
Microsoft Azure
Actions on Objective
Cyber Crime
26/03/2021
Researchers from Palo Alto Networks discover more than two-dozen containers on Docker Hub, downloaded more than 20 million times, and infected with malware for cryptojacking operations spanning at least two years.
>1
Actions on Objective
Cyber Crime
30/03/3021
Private information of nearly 100 million users of the Indian mobile payments startup MobiKwik is leaked in the dark web
AWS
Actions on Objective
Cyber Crime
01/04/2021
New campaign distributing Hancitor via Google Docs.
Google Docs
Delivery and Exploitation
Cyber Crime
02/04/2021
GitHub Actions is currently being abused by attackers to mine cryptocurrency on GitHub's servers in an automated attack.
GitHub, GitLab
Delivery and Exploitation/Actions on Objective
Cyber Crime
05/04/2021
More_eggs backdoor distributed via LinkedIn, downlaods the payload from AWS
Pingback: Cloud-Native Threats in 2021 – HACKMAGEDDON – Nanda Parbat
Pingback: Veille Cyber N319 – 25 janvier 2021 |