I am starting a new project to track cloud-native threats, similarly to what I have done in 2020, with an interactive timeline. As soon as I collect more data I will start to generate some statistics. As usual the information is collected from open sources such as blogs, online news outlets, etc.
The campaigns are classified in four categories: Delivery and Exploitation (the cloud service is exploited to deliver a malware strain or a phishing page), Actions on Objective (the cloud service is exploited to steal data, or launch other attacks), Command and Control (the cloud service is exploited as a command and control infrastructure), and Data Exfiltration (the cloud service is used as a drop zone for the exfiltrated data).
Clicking on each box, whose logo shows the exploited service, opens a pop-up window with the details of the campaign, including the link to the orginal article (at the bottom of the window).
Of course if you have news of any similar campaign that I have omitted, feel free to let me know! And of course follow @paulsparrows on Twitter and LinkedIn for the latest updates.
Date
Description
Link
Service
Type
Motivation
03/01/2021
Phishing on Firebase
Google Firebase
Delivery and Exploitation
Cyber Crime
04/01/2021
Researchers Disclose Details of FIN7 Hacking Group's Malware
Microsoft Sharepoint
Delivery and Exploitation
Cyber Crime
05/01/2021
Operation ElectroRAT: Attacker Creates Fake Companies to Drain Your Crypto Wallets
Pastebin
Command and Control
Cyber Crime
08/01/2021
A crypto-mining botnet is now stealing Docker and AWS credentials
AWS
Actions on Objective
Cyber Crime
12/01/2021
Chimera' Threat Group Abuses Microsoft & Google Cloud Services
Microsoft Azure, Google App Engine
Command and Control
Cyber Espionage
12/01/2021
Chimera' Threat Group Abuses Microsoft & Google Cloud Services
Microsoft OneDrive, Google Drive, Dropbox
Data Exfiltration
Cyber Espionage
12/01/2021
Coronavirus Screening and Testing Phishing Emails, and a Sense of Urgency Among Employees
Google Forms
Delivery and Exploitation
Cyber Crime
13/01/2021
Hancitor activity resumes after a hoilday break
Google Docs
Delivery and Exploitation
Cyber Crime
14/01/2021
The data of 35 million users from Juspay goes on sales in the dark web
AWS
Actions on Objective
Cyber Crime
14/01/2021
DHL Phishing on Google Firebase
Google Firebase
Delivery and Exploitation
Cyber Crime
14/01/2021
Winnti APT continues to target game developers in Russia and abroad
Microsoft Azure, Google Docs
Delivery and Exploitation/Command And Control
Cyber Espionage
15/01/2021
Mobile malware with command and control on Dropbox
Dropbox
Command and Control
Cyber Crime
19/01/2021
GuLoader Campaign in italy
Google Drive
Delivery and Exploitation
Cyber Crime
19/01/2021
Malwarebytes confirms that the threat actor behind the SolarWinds supply-chain attack were able to gain access to some company emails.
Microsoft Office 365 Suite
Actions on Objective
Cyber Espionage
19/01/2021
ShinyHunters share a database that he claims was stolen from Pixlr while he breached the 123rf stock photo site. Pixlr and 123rf are both owned by the same company, Inmagine.
AWS
Actions on Objective
Cyber Crime
20/01/2021
Thousands of BEC lures use Google Forms in recon campaign
Google Forms
Delivery and Exploitation
Cyber Crime
24/01/2021
The hacking group ShinyHunters leaks personal information of over 2 million MeetMindful users.
AWS
Actions on Objective
Cyber Crime
29/01/2021
Threat actors are sending phishing emails impersonating a Small Business Administration (SBA) lender
Microsoft Forms
Delivery and Exploitation
Cyber Crime
03/02/2021
New 'Hildegard' Malware Targets Kubernetes Systems
N/A
Actions on Objective
Cyber Crime
04/02/2021
A savvy phishing campaign manages to evade native Microsoft security defenses, looking to steal O365 credentials.
Google Firebase
Delivery and Exploitation
Cyber Crime
05/02/2021
Microsoft warns of increasing OAuth Office 365 phishing attacks
Microsoft Office 365 Suite
Actions on Objective
Cyber Crime
05/02/2021
Microsoft warns of increasing OAuth Office 365 phishing attacks
Microsoft Office 365 Suite
Actions on Objective
Cyber Crime
12/02/2021
New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign
Google Drive
Delivery and Exploitation
Cyber Crime
16/02/2021
A malvertising group known as "ScamClub" exploited a zero-day vulnerability in WebKit-based browsers to inject malicious payloads that redirected users to fraudulent websites gift card scams.
AWS
Delivery and Exploitation
Cyber Crime
16/02/2021
Latin American Javali trojan weaponizing Avira antivirus legitimate injector to implant malware
AWS, Google Docs
Delivery and Exploitation
Cyber Crime
17/02/2021
Phishers tricking users via fake LinkedIn Private Shared Document
Google App Engine
Delivery and Exploitation
Cyber Crime
18/02/2021
Hackers abuse Google Apps Script to steal credit cards, bypass CSP
Google Apps Script
Delivery and Exploitation
Cyber Crime
18/02/2021
New Silver Sparrow adware targeting Apple M1 Processors
AWS
Command and Control
Cyber Crime
23/02/2021
10K Microsoft Email Users Hit in FedEx Phishing Attack
Google Firebase
Delivery and Exploitation
Cyber Crime
23/02/2021
Surge in ZLoader Attacks Observed
WeTransfer, Google Docs, Box
Delivery and Exploitation
Cyber Crime
24/02/2021
Cybercriminals Target QuickBooks Databases
Google Cloud, AWS
Data Exfiltration
Cyber Crime
01/03/2021
New Hancitor Campaign with fake DocuSign docs
Google Docs
Delivery and Exploitation
Cyber Crime
01/03/2021
Ticketcounter suffers a data breach affecting 1.9 million addresses stolen from an unsecured staging server on Azure
Microsoft Azure
Actions on Objective
Cyber Crime
01/03/2021
Researchers from Sonatype identify new npm “dependency confusion” packages named after repositories, namespaces or components used by popular companies such as Amazon, Zillow, Lyft, and Slack.
AWS, Slack
Actions on Objective
Cyber Crime
04/03/2021
Researchers from WMC Global discover a phishing campaign targeting users of Outlook Web Access and Office 365 services, relying on trusted domains such as SendGrid.
Google App Engine
Delivery and Exploitation
Cyber Crime
04/03/2021
Researchers from Aqua Security discover a campaign exploiting the automated build processes of BitBucket and Docker Hub to mine cyptocurrency.
BitBucket
Actions on Objective
Cyber Crime
09/03/2021
Researchers from Check Point discover Clast82, a new Dropper spreading via the official Google Play store, which downloads and installs the AlienBot Banker and MRAT. Google consequently removes 10 apps after 15,000 installs
Google Firebase, GitHub
Delivery and Exploitation/Command And Control
Cyber Crime
14/03/2021
A new campaign distributes malware via a fake Telegram update.
BitBucket
Delivery and Exploitation
Cyber Crime
16/03/2021
A new campaign exploits the American Rescue Plan to deliver the Dridex trojan
Dropbox
Delivery and Exploitation
Cyber Crime
19/03/2021
New phishing campaign targets taxpayer credentials
Imgur
Delivery and Exploitation
Cyber Crime
23/03/2021
Researchers from Microsoft discover a new version of the Compact campaign abusing new legitimate services to bypass secure email gateways.
Google App Engine
Delivery and Exploitation
Cyber Crime
23/03/2021
Private aviation services provider Solairus Aviation announces that some employee and customer data was compromised in a security incident at third-party vendor Avianis.
Microsoft Azure
Actions on Objective
Cyber Crime
26/03/2021
Researchers from Palo Alto Networks discover more than two-dozen containers on Docker Hub, downloaded more than 20 million times, and infected with malware for cryptojacking operations spanning at least two years.
>1
Actions on Objective
Cyber Crime
30/03/2021
Private information of nearly 100 million users of the Indian mobile payments startup MobiKwik is leaked in the dark web
AWS
Actions on Objective
Cyber Crime
01/04/2021
New campaign distributing Hancitor via Google Docs.
Google Docs
Delivery and Exploitation
Cyber Crime
02/04/2021
GitHub Actions is currently being abused by attackers to mine cryptocurrency on GitHub's servers in an automated attack.
GitHub, GitLab
Delivery and Exploitation/Actions on Objective
Cyber Crime
05/04/2021
More_eggs backdoor distributed via LinkedIn, downlaods the payload from AWS
AWS, LinkedIn
Delivery and Exploitation
Cyber Crime
06/04/2021
Researchers from ESET reveal the details of Janeleiro, a trojan focused in Brazil.
GitHub
Command and Control
Cyber Crime
06/04/2021
Researchers from Cado Security reveal th details of a cyber espionage campaign targeting political opponents in Palestine using voice changing software.
Google Drive
Delivery and Exploitation
Cyber Espionage
08/04/2021
Resarchers from Zscaler reveal the details of a malicious Android app disguised as a fake TikTok app targeting users of the JIO carrier in India.
GitHub
Delivery and Exploitation
Cyber Crime
11/04/2021
Indian stock trading firm Upstox reveals to users that it has suffered a serious security breach that may have seen unauthorised criminal access to millions of customers’ personal information.
AWS
Actions on Objective
Cyber Crime
13/04/2021
More than 100,000 web pages hosted by Google Sites are being used to trick netizens into opening documents delivering a RAT via search redirection.
Google Sites
Delivery and Exploitation
Cyber Crime
14/04/2021
New campaign involving multiple infostealer RAT families and miner malware.
Pastebin
Delivery and Exploitation
Cyber Crime
15/04/2021
Several waves of a spam-driven campaign distributing BazarLoader via Slack and BaseCamp.
Slack, BaseCamp
Delivery and Exploitation
Cyber Crime
21/04/2021
A novel email-based campaign targets Bloomberg clients with RATs
Pastebin
Delivery and Exploitation
Cyber Crime
22/04/2021
Arid Viper, a group linked to the cyber arm of Hamas, targets government officials, student groups, and security forces.
Google Sites, Google Firebase
Delivery and Exploitation/Command And Control
Cyber Espionage
22/04/2021
Toxic Eye using Telegram as command and control.
Telegram
Command and Control
Cyber Crime
26/04/2021
Hacker dumps sensitive household records of 250M Americans
AWS
Actions on Objective
Cyber Crime
04/05/2021
Banking Trojan evolves from distribution through porn to phishing schemes
Google Docs
Command and Control
Cyber Crime
11/05/2021
Microsoft: Threat actors target aviation orgs with new malware
Pastebin
Delivery and Exploitation
Cyber Crime
12/05/2021
Trust Wallet, MetaMask crypto wallets targeted by new support scam
Google Docs
Delivery and Exploitation
Cyber Crime
18/05/2021
Unpatched servers in the free tiers of cloud computing platforms.
20/20 Eye Care Network and 20/20 Hearing Care Network
AWS
Actions on Objective
Cyber Crime
07/06/2021
First known malware targeting Windows containers
>1
Actions on Objective
Cyber Crime
09/06/2021
Microsoft warns of an ongoing series of attacks compromising Kubernetes clusters
>1
Actions on Objective
Cyber Crime
10/06/2021
Electronic Arts is hacked via a Slack stolen cookie.
Slack
Actions on Objective
Cyber Crime
11/06/2021
Microsoft discovers a series of attacks that use SEO poisoning to deliver a remote access trojan (RAT)
AWS
Delivery and Exploitation
Cyber Crime
17/06/2021
TA402 APT group (aka Molerats and GazaHackerTeam) is back after two-month of silence and is targeting governments in the Middle East.
Google Apps Script, Dropbox, Pastebin
Delivery and Exploitation/Command And Control
Cyber Espionage
17/06/2021
New campaign abusing Google Docs to deliver phishing pages
Google Docs
Delivery and Exploitation
Cyber Crime
29/06/2021
New campaign from Aggah
Blogspot
Delivery and Exploitation
Cyber Espionage
01/07/2021
Chinese cyberspies target the Afghan National Security Council
Dropbox
Command and Control
Cyber Espionage
20/07/2021
Researchers from Intezer reveal that threat actors are abusing misconfigured Argo Workflows instances to deploy cryptocurrency miners on Kubernetes clusters.
Argo Workflows
Actions on Objective
Cyber Crime
22/07/2021
Researchers from Avanan reveal the details of a phishing campaign hosting the content on Milanote, an application defined as the "Evernote for Creatives".
Milanote
Delivery and Exploitation
Cyber Crime
28/07/2021
Researchers from ProofPoint reveal the details of a new campaign carried out by the Iranian group Tortoiseshell to target employees and contractors working in defence and aerospace.
Microsoft OneDrive
Delivery and Exploitation
Cyber Espionage
29/07/2021
Security researchers from ThreatFabric reveal the dettails of Vultur, a novel piece of Android malware that uses the VNC technology to record and broadcast a victim’s smartphone activity.
Google Firebase
Command and Control
Cyber Crime
31/07/2021
Microsoft's Security Intelligence team issues an alert to Office 365 users and admins to be on the lookout for a "crafty" phishing email with spoofed sender addresses using phishing pages hosted on Google Cloud and Sharepoint.
Google App Engine, Microsoft Sharepoint
Delivery and Exploitation
Cyber Crime
03/08/2021
Researchers from Group-IB reveal the details of a series of campaigns carried out by two Chinese threat actors (TA428 and TaskMasters) targeting Russian government agencies.
Yandex Disk
Command and Control
Cyber Espionage
09/08/2021
Splunk spots malware targeting Windows Server on AWS to mine Monero
AWS
Actions on Objective
Cyber Crime
27/08/2021
Fake DMCA and DDoS complaints lead to BazaLoader malware
Google Drive
Delivery and Exploitation
Malware
31/08/2021
Researchers from Cisco Talos identify multiple campaigns distributing trojanaized versions of the Honeygain proxyware.
Dropbox
Delivery and Exploitation
Cyber Crime
16/09/2021
Threat actors started actively exploiting the critical Azure OMIGOD vulnerabilities two days after Microsoft disclosed them during this month's Patch Tuesday.
Microsoft Azure
Actions on Objective
Cyber Crime
17/09/2021
Cryptocurrency launchpad hit by $3 million supply chain attack
GitHub
Actions on Objective
Cyber Crime
17/09/2021
Rsearchers from ESET reveal the details of Numando, a Trojan active in Brazil, Mexico, and Spain.
Youtube, Pastebin
Command and Control
Cyber Crime
23/09/2021
Researchers from Cisco Talos reveal the details of "Operation Armor Piercer”, a series of malicious attacks targeting Indian government and military personnel using commercial remote access Trojans (RATs) such as Netwire and Warzone (AKA AveMaria).
Dropbox, Pastebin
Delivery and Exploitation
Cyber Espionage
04/10/2021
Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack
Pastebin
Delivery and Exploitation
Cyber Crime
06/10/2021
Researchrers from Cybereason discover Operation GhostShell, a highly-targeted cyber espionage campaign targeting the Aerospace and Telecommunications industries mainly in the Middle East, with additional victims in the U.S., Russia and Europe.
Dropbox
Command and Control
Cyber Espionage
08/10/2021
Researchers from Trend Micro discover a new version of a Linux crypto-mining malware previously used to target Docker containers in 2020 now focusing on Huawei Cloud.
Huawei Cloud
Actions on Objective
Cyber Crime
11/10/2021
Thingiverse, a website dedicated to sharing user-created digital design files, reportedly leaks a 36GB backup file that contains 228,000 unique email addresses and other personally identifiable information.
AWS
Actions on Objective
Cyber Crime
13/10/2021
Researchers from IBM X-Force reveal that operators behind the infamous TrickBot (ITG23 and Wizard Spider) malware have resurfaced with new distribution channels to deliver malicious payloads, such as Conti ransomware.
Zoho
Delivery and Exploitation
Cyber Crime
20/10/2021
Researchers from Google Threat Analysis Group reveal to have blocked 1.6 million phishing emails since May 2021 that were part of a malware campaign to hijack YouTube accounts and promote cryptocurrency scams.
Google Drive
Delivery and Exploitation
Cyber Crime
21/10/2021
Researchers from Ahnlab discover an ongoing malware distribution campaign targeting South Korea disguising RATs as an adult game shared via webhards and torrents.
Discord
Delivery and Exploitation
Cyber Crime
21/10/2021
Researchers from Netskope disvover a campaign distributing the Warzone RAT via Discord
Discord
Delivery and Exploitation
Cyber Crime
26/10/2021
Researchers at Qihoo 360 discover an ongoing Android spyware campaign targeting Israeli users since 2018.
Google Drive
Delivery and Exploitation
Cyber Crime
26/10/2021
Researchers from INKY discover a new phishing campaign in which threat actors manipulate Craigslist email system to send fraudulent violation notifications, spreading malware.
Microsoft OneDrive
Delivery and Exploitation
Cyber Crime
28/10/2021
Researchers from Proofpoint discover a prolific cybercrime group using the popularity of Netflix hit "Squid Game" to spread the Dridex malware.
Discord
Delivery and Exploitation
Cyber Crime
02/11/2021
Researchers from Malwarebytes discover an active phishing campaign promoting via Discord and targeting Steam gamers.
Discord
Delivery and Exploitation
Cyber Crime
03/11/2021
Stealthier version of Mekotio banking trojan spotted in the wild
Microsoft Azure
Delivery and Exploitation
Cyber Crime
03/11/2021
Researchers from Cisco Talos reveal the details of Tortilla, a new threat actor hacking Microsoft Exchange servers and breaching corporate networks using the ProxyShell vulnerability to deploy the Babuk Ransomware.
Pastebin
Delivery and Exploitation
Cyber Crime
04/11/2021
Researchers from Cofense discover a new phishing campaign pretending to come from a supplier and infecting the users with the MirCop ransomware.
Google Drive
Delivery and Exploitation
Cyber Crime
04/11/2021
Threat actors are exploiting a security flaw in GitLab self-hosted servers (CVE-2021-22205) to assemble botnets and launch gigantic distributed denial of service (DDoS) attacks, with some in excess of 1 terabit per second.
Gitlab
Actions on Objective
Cyber Crime
09/11/2021
Researchers from Trend Micro discover a new campaign of TeamTNT targeting poorly configured Docker servers to mine cryptocurrency.
>1
Actions on Objective
Cyber Crime
11/11/2021
Researchers from Sophos discover a new campaign abusing the Windows 10 App Installer to deploy the BazarLoader malware.
Azure, Google Cloud Storage
Delivery and Exploitation
Cyber Crime
18/11/2021
Researchers from SeclarityIO reveal that the PerSwaysion, widespread phishing campaign exploiting Microsoft Sway, SharePoint, and OneNote, is still active.
Microsoft Sway
Delivery and Exploitation
Cyber Crime
22/11/2021
An advisory published by the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) reveals that an advanced hacking group is actively targeting biomanufacturing facilities with a new custom malware called 'Tardigrade.'
AWS
Command and Control
Cyber Crime
23/11/2021
Researchers from Morphisec discover a new malware campaign from Discord using the Babadeda crypter to hide malware that targets the crypto, NFT, and DeFi communities.
Discord
Delivery and Exploitation
Cyber Crime
25/11/2021
charts.dft.gov.uk, a UK Department for Transport (DfT) website is caught serving porn today.
AWS
Actions on Objective
Cyber Crime
29/11/2021
Researchers from Kaspersky reveal the details of the latest campaign of APT37 targeting South Korean journalists, defectors, and human rights activists with a new malware dubbed Chinotto.
Microsoft OneDrive
Delivery and Exploitation
Cyber Espionage
05/12/2021
Cybercriminals are spamming website contact forms and discussion forums to distribute Excel XLL files that download and install the RedLine password and information-stealing malware.
Google Drive
Delivery and Exploitation
Cyber Crime
07/12/2021
The Cerber ransomware is back, as a new ransomware family with the old name, and targets Atlassian Confluence and GitLab servers using remote code execution vulnerabilities (respectively CVE-2021-26084 and CVE-2021-22205 for Confluence and GitLab)
Atlassian Confluence, BitBucket
Actions on Objective
Cyber Crime
10/12/2021
Researchers from Fortinet discover a new variant of the Agent Tesla malware distributed in an ongoing phishing campaign that relies on Microsoft PowerPoint documents laced with malicious macro code.
BitBucket
Delivery and Exploitation
Cyber Crime
15/12/2021
Researchers from IBM X-Force reveal that the MuddyWater group is deploying a newly discovered backdoor named 'Aclip' that abuses the Slack API for covert communications, targeting an unnamed Asian airline.
Slack
Command and Control
Cyber Espionage
17/12/2021
Researchers from Yori discover a campaign from Aggah targeting multiple victims worldwide.
BitBucket
Delivery and Exploitation
Cyber Espionage
21/12/2021
Researchers from Cado Security discover a new version of the Abcbot botnet, targeting insecure cloud instances running under Cloud Service Providers such as Tencent, Baidu, Alibaba Cloud, and Huawei cloud.
Alibaba, Huawei, Tencent, Baidu
Actions on Objective
Cyber Crime
24/12/2021
ONUS, one of the largest Vietnamese crypto trading platforms, suffers a cyber attack on its payment system running a vulnerable Log4j version. The threat actors approached ONUS to extort a $5 million sum.
welld one
Pingback: Cloud-Native Threats in 2021 – HACKMAGEDDON – Nanda Parbat
Pingback: Veille Cyber N319 – 25 janvier 2021 |