This blog post lists the main cloud-native threats, that is those cyber events exploiting the cloud in one or more stage of the kill chain. I have collected the same information during 2020 and 2021.
The campaigns are classified in four categories: Delivery and Exploitation (the cloud service is exploited to deliver a malware strain or a phishing page), Actions on Objective (the cloud service is exploited to steal data, or launch other attacks), Command and Control (the cloud service is exploited as a command and control infrastructure), and Data Exfiltration (the cloud service is used as a drop zone for the exfiltrated data).
Below you will find an interactive timeline and some statistics on the collected sample.
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Geo
Link
Exploited Service
Motivation
03/01/2022
-
-
?
Over 100 real estate sites
A new campaign where compromises a cloud video hosting service to inject a web skimmer in over 100 real estate sites.
Malicious Script Injecttion
Real estate
CC
>1
Undisclosed Cloud Video Hosting Service
Delivery and Distribution
03/01/2022
27/10/2021
27/10/2021
?
Ravkoo
Ravkoo, a US Internet-based pharmacy service, discloses a data breach after the company's AWS hosted cloud prescription portal is involved in a security incident that may have led to personal and health information being accessed.
Unknown
Human health and social work
CC
US
AWS
Delivery and Distribution
06/01/2022
23/12/2021
23/12/2021
Uawrongteam
FlexBooker
Accounts of more than three million users of the U.S.-based FlexBooker appointment scheduling service have been stolen in an attack before the holidays and are now being traded on hacker forums.
Account Takeover
Administration and support service
CC
US
AWS
Actions on Objective
06/01/2022
Since December 2021
During December 2021
?
Multiple Organizations
Multiple campaigns leverage the comment feature in Google Docs, targeting primarily Outlook users, to distribute phishing pages and malware.
Malware
Multiple Industries
CC
>1
Google Docs
Delivery and Distribution
11/01/2022
-
-
APT35 (aka Charming Kitten, TA453, or Phosphorus)
Multiple Organizations
Researchers from Check Point reveal that the Iranian APT35 state-backed group has been observed leveraging Log4Shell attacks to drop a new PowerShell backdoor called CharmPower.
CVE-2021-44228 Vulnerability
Multiple Industries
CE
>1
AWS
Command and Control
11/01/2022
Since the second half of 2021
-
SysJoker
Multiple organizations
A new multi-platform backdoor malware named 'SysJoker' targets Windows, Linux, and macOS with the ability to evade detection on all three operating systems.
Malware
Multiple Industries
CC
>1
Google Drive
Command and Control
12/01/2022
Since 26/10/2021
-
?
Multiple Organizations
A new campaign leveraging public cloud infrastructure, deploying the Nanocore, Netwire, and AsyncRAT payloads.
Malware
Multiple Industries
CC
>1
AWS, Azure
Delivery and Distribution
13/01/2022
Since December 2021
During December 2021
Multiple threat actors
Office 365 users
Multiple campaigns emerge where phishers are creating Adobe Creative Cloud accounts and using them to send phishing emails capable of thwarting traditional checks.
Account Takeover
Multiple Industries
CC
>1
Adobe Creative Cloud
Delivery and Distribution
15/01/2022
Since 13/01/2021
13/1/2022
?
Multiple organizations in Ukraine
Microsoft warns of destructive data-wiping malware, dubbed WhisperGate, disguised as ransomware being used in attacks against multiple organizations in Ukraine.
Malware
Multiple Industries
Cyber Warfare
UA
Discord
Delivery and Distribution
19/01/2022
-
-
?
Crypto Wallet users
A novel modular crypto-wallet stealing malware dubbed 'BHUNT' targets cryptocurrency wallet contents, passwords, and security phrases.
Malware
Fintech
CC
>1
Pastebin
Delivery and Distribution
20/01/2022
During December 2021
During December 2021
Molerats
Individuals in Palestine and Turkey
State-sponsored cyberattackers are using Google Drive, Dropbox and other legitimate services to drop spyware on Middle-Eastern targets and exfiltrate data.
Targeted Attack
Individuals
CE
PS
TR
Google Drive, Dropbox
Delivery and Distribution, Command and Control
21/01/2022
-
-
?
"hundreds" of Office 365 customers
Microsoft warns that Office 365 customers are receiving phishing emails that aim to trick them into giving OAuth permissions to a bogus app that then lets attackers read and write emails.
Account Takeover
Multiple Industries
CC
>1
Microsoft 365 Suite
Actions on Objective
24/01/2021
During December 2021
During December 2021
?
Multiple Organizations
Researchers from Netskope discover a campaign delivering multiple malware, such as AveMaria (a.k.a. Warzone) and AgentTesla, using Bitly to shorten URLs and different cloud services like MediaFire, Blogger, and GitHub to host the payloads.
Malware
Multiple Industries
CC
>1
MediaFire, Blogger, GitHub
Delivery and Distribution
25/01/2022
-
-
APT28 AKA Fancy Bear
High-ranking government and defense industry officials of a West Asian nation
Threat Actors from APT28 leverage Microsoft OneDrive services for command-and-control (C2) purposes in a sophisticated cyberespionage campaign aimed at high-ranking government and defense industry officials of a West Asian nation
Targeted Attack
Public Admin and Defense
CE
N/A
OneDrive
Command and Control
26/01/2022
-
-
Dark Herring
Android users
Researchers from Zimperium reveal that more than 105 million Android users downloaded and installed the Dark Herring scamware from Google Play and third-party app stores.
Malware
Individual
CC
>1
AWS
Delivery and Distribution
27/01/2022
Beginning 18/01/2022
18/01/2022
?
Multiple Organizations
A new campaign named ‘OiVaVoii’, targets company executives and general managers with malicious OAuth apps and custom phishing lures sent from hijacked Office 365 accounts.
Account Takeover
Multiple Industries
CC
>1
Microsoft 365 Suite
Actions on Objective
28/01/2022
18/01/2022
18/01/2022
Lazarus Group AKA Hidden Cobra
Multiple Organizations
A new campaign by the Lazarus Group uses spear phishing attacks weaponized with malicious documents that use fake job opportunities masquerading as the global security and aerospace giant Lockheed Martin.
Targeted Attack
Multiple Industries
CE
>1
GitHub
Command and Control
28/01/2022
-
22/01/2021
?
Indian Army
Researchers from Cyble reveal that threat actors are targeting the Indian Army by creating fake, malicious versions of legitimate apps, such as Armaan, used by military personnel.
Targeted Attack
Public admin and defence, social security
CE
IN
Pastebin
Command and Control
31/01/2022
-
-
Eternal Silence
Vulnerable UPnP routers
A malicious campaign known as 'Eternal Silence' abusing Universal Plug and Play (UPnP) turns routers woridwide into proxy servers used to launch malicious attacks while hiding the location of the threat actors.
CVE-2017-0144 and CVE-2017-7494 vulnerabilities
Multiple Industries
CC
>1
Undisclosed Cloud Storage Service
Actions on Objective
02/02/2022
-
-
?
Asian Cloud Service Providers
A new malware called CoinStomp targets vulnerable cloud instances to mine cryptocurrency
Misconfiguration
Professional, scientific and technical
CC
>1
Undisclosed cloud services
Actions on Objective
02/02/2022
Since October 2021
During October 2021
UpdateAgent
Multiple organizations
Researchers from Microsoft discover a new campaign carried out with the Mac malware UpdateAgent, distributing the Adload payload.
Malware
Multiple Industries
CC
>1
AWS
Delivery and Distribution
04/02/2022
During January 2021
During January 2021
During January 2021
News Corp
American media and publishing giant News Corp discloses that it was the target of a "persistent" cyberattack, which reportedly allowed threat actors to access emails and documents of some News Corp employees, including journalists.
Account Takeover
Information and communication
CE
US
Undisclosed cloud service
Actions on Objective
08/02/2022
From November 2021 until late January 2022
During late 2021
TA402 (AKA Molerats)
Governments in Middle East, foreign policy think tanks, and a state-owned airline
Researchers from Proofpoint discover a new campaign by the Palestinian APT group tracked as TA402 (AKA Molerats) using a new implant named 'NimbleMamba' in a cyber-espionage campaign.
Targeted Attack
Multiple Industries
CE
>1
Dropbox
Delivery and Distribution, Command and Control
09/02/2022
Starting from 27/01/2022
27/01/2022
?
Multiple targets
Researchers from HP reveal that threat actors have started distributing fake Windows 11 upgrade installers to users of Windows 10, tricking them into downloading and executing the RedLine stealer malware.
Malware
Multiple Industries
CC
>1
Discord
Delivery and Distribution
14/02/2022
"Recently"
"Recently"
?
Single individuals
Researchers from Fortinet discover a campaign carried out via an Excel spreadsheet that purports to contain information about NFTs, but distributing the BitRAT malware.
Malware
Individual
CC
>1
Discord
Delivery and Distribution
15/02/2022
Since at least 2017
-
TA2541
Organizations in the aviation, transportation, and travel space
Researchers from Proofpoint reveal that for years, a low-skilled attacker, possibly from Nigeria, has been using off-the-shelf malware in malicious campaigns aimed at companies in the aviation sector as well as in other sensitive industries.
Malware
Transportation and storage
CC
>1
Google Drive, OneDrive, Discord
Delivery and Distribution
16/02/2022
Since April 2018
-
OilRig, AKA APT34, Lyceum and Siamesekitten
Diplomatic organizations, technology companies and medical organizations in Israel, Tunisia and the United Arab Emirates
Researchers from ESET reveal the details of "Out to Sea", a campaign carried out by the Iran-linked APT group OilRig, targeting diplomatic organizations, technology companies and medical organizations in Israel, Tunisia and the United Arab Emirates.
Targeted Attack
Multiple Industries
CE
>1
OneDrive
Command and Control
17/02/2022
During January 2022
During January 2022
?
Multiple Organizations
Researchers from Avanan warn that some attackers are compromising Microsoft Teams accounts to slip into chats and spread malicious executables to participants in the conversation.
Malware
Multiple Industries
CC
>1
Microsoft Teams
Delivery and Distribution
17/02/2022
-
-
TunnelVision
Corporate networks in the Middle East and the United States
An Iranian-aligned hacking group tracked as TunnelVision was spotted exploiting Log4j on VMware Horizon servers to breach corporate networks in the Middle East and the United States.
Targeted Attack
Multiple Industries
CE
>1
Pastebin, GitHub
Delivery and Distribution
21/02/2022
-
-
?
Multiple organizations
Researchers from Ahnlab discover a new version of the CryptBot info stealer distributed via multiple websites that offer free downloads of cracks for games and pro-grade software.
Malware
Multiple Industries
CC
>1
AWS
Delivery and Distribution
26/02/2022
-
-
Lampion
Portuguese Internet users
A new version of the Lampion trojan targets users in Portugal
Malware
Finance
CC
PT
AWS
Delivery and Distribution
01/03/2022
During February 2022
During February 2022
?
Android users
The TeaBot banking trojan was spotted once again in Google Play Store where it posed as a QR code app and spread to more than 10,000 devices.
Malware
Finance
CC
>1
GitHub
Delivery and Distribution
07/03/2022
Since at least 2020
Early November 2021
TA416
European diplomatic entities, including an individual involved in refugee and migrant services
Researchers from Proofpoint identify ongoing activity by the China-aligned APT actor TA416 in which the group is targeting European diplomatic entities, including an individual involved in refugee and migrant services.
Malware
Public admin and defence, social security
CE
>1
Dropbox
Delivery and Distribution
22/03/2022
Late 2021
Late 2021
Storm Cloud
Multiple targets
Researchers from Volexity discover a previously unknown macOS malware variant called GIMMICK, which is believed to be a custom tool used by a Chinese espionage threat actor known as 'Storm Cloud.'
Malware
Multiple Industries
CE
>1
Google Drive
Command and Control
29/03/2022
-
-
APT36, aka Transparent Tribe, Mythic Leopard
Indian Government
Researchers from Cisco Talos discover a new campaign from the hacking group tracked as APT36, using a new custom malware and entry vectors in attacks against the Indian government.
Targeted Attack
Public admin and defence, social security
CE
IN
Google Drive
Delivery and Distribution
29/03/2022
-
-
Multiple threat actors
Educational institutions in the United States, Europe and Australia
Researchers from Proofpoint discover a new campaign sending fake job emails to educational institutions in the United States, Europe and Australia.
Account Takeover
Multiple Industries
CC
>1
Google Forms
Delivery and Distribution
30/03/2022
-
-
?
Multiple organizations
A new phishing campaign abuses Microsoft Azure's Static Web Apps service to steal Microsoft, Office 365, Outlook, and OneDrive credentials.
Account Takeover
Multiple Industries
CC
>1
Microsoft Azure
Delivery and Distribution
05/04/2022
-
-
?
Multiple organizations
Researchers from Cisco Talos discover new campaigns using ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims.
Malware
Multiple Industries
CC
>1
Microsoft OneDrive, Discord
Delivery and Distribution
06/04/2022
'Recently'
'Recently'
APT-C-23
Israeli individuals including a group of high-profile targets working for sensitive defense, law enforcement, and emergency services organizations.
Cybereason recently discovered a new elaborate campaign targeting Israeli individuals, among them, a group of high-profile targets working for sensitive defense, law enforcement, and emergency services organizations.
Targeted Attack
Public admin and defence, social security
CE
IL
Google Firebase
Command and Control
07/04/2022
-
-
?
Multiple organizations
Researchers from Cado Security discover Denonia, the first malware specifically developed to target Amazon Web Services (AWS) Lambda cloud environments with cryptominers.
Malware
Multiple Industries
CC
>1
AWS
Actions on Objective
12/04/2022
Early 2022
Early 2022
?
African Banking Sector
Researchers from HP discover a campaign targeting the African Banking Sector via the RemcosRAT.
Malware
Finance
CC
>1
Microsoft OneDrive, Dropbox
Delivery and Distribution
15/04/2022
12/04/2022
12/04/2022
?
Multiple organizations
GitHub reveals that an attacker is using stolen OAuth user tokens (issued to Heroku and Travis-CI) to download data from private repositories.
Account Takeover
Multiple Industries
CC
>1
GitHub
Actions on Objective
16/04/2022
22/03/2022 and 25/02/2022
-
OldGremlin
Organizations in Russia
Researchers from Group-IB discover two campaigns by the OldGremlin criminal group targeting organizations in Russia.
Malware
Multiple Industries
CC
RU
Dropbox
Delivery and Distribution
27/04/2022
'Recently'
'Recently'
?
Users applying for Thailand travel passes
Researchers from Zsscaler discover a malware campaign targeting users applying for Thailand travel passes. The end payload of many of these attacks is AsyncRAT.
Malware
Individuals
CC
TH
AWS, OneDrive
Delivery and DIstribution
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Geo
Link
Exploited Service
Motivation
Enjoy the interactive timeline, and thanks for sharing it, and supporting my work in spreading the risk awareness across the community. Also, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
I am starting a new project to track cloud-native threats, similarly to what I have done in 2020, with an interactive timeline. As soon as I collect more data I will start to generate some statistics.
Among the various things that I have done in 2020, there is the collection of the main cyber attacks that have exploited cloud services in the kill chain. I have built…
After the peak of March (in the meantime I have added more records to the previous timeline bringing the total to 150), the level of activity continues to be...
And finally I have aggregated all the data collected in 2021 from the cyber attacks timelines. In the past year I have collected 2539 events, meaning...