Cloud-Native Threats in 2022

This blog post lists the main cloud-native threats, that is those cyber events exploiting the cloud in one or more stage of the kill chain. I have collected the same information during 2020 and 2021.

The campaigns are classified in four categories: Delivery and Exploitation (the cloud service is exploited to deliver a malware strain or a phishing page), Actions on Objective (the cloud service is exploited to steal data, or launch other attacks), Command and Control (the cloud service is exploited as a command and control infrastructure), and Data Exfiltration (the cloud service is used as a drop zone for the exfiltrated data).

Below you will find an interactive timeline and some statistics on the collected sample.

Date Reported	Date Occurred	Date Discovered	Author	Target	Description	Attack	Target Class	Attack Class	Geo	Link	Exploited Service	Motivation
03/01/2022	-	-	?	Over 100 real estate sites	A new campaign where compromises a cloud video hosting service to inject a web skimmer in over 100 real estate sites.	Malicious Script Injecttion	Real estate	CC	>1		Undisclosed Cloud Video Hosting Service	Delivery and Distribution
03/01/2022	27/10/2021	27/10/2021	?	Ravkoo	Ravkoo, a US Internet-based pharmacy service, discloses a data breach after the company's AWS hosted cloud prescription portal is involved in a security incident that may have led to personal and health information being accessed.	Unknown	Human health and social work	CC	US		AWS	Delivery and Distribution
06/01/2022	23/12/2021	23/12/2021	Uawrongteam	FlexBooker	Accounts of more than three million users of the U.S.-based FlexBooker appointment scheduling service have been stolen in an attack before the holidays and are now being traded on hacker forums.	Account Takeover	Administration and support service	CC	US		AWS	Actions on Objective
06/01/2022	Since December 2021	During December 2021	?	Multiple Organizations	Multiple campaigns leverage the comment feature in Google Docs, targeting primarily Outlook users, to distribute phishing pages and malware.	Malware	Multiple Industries	CC	>1		Google Docs	Delivery and Distribution
11/01/2022	-	-	APT35 (aka Charming Kitten, TA453, or Phosphorus)	Multiple Organizations	Researchers from Check Point reveal that the Iranian APT35 state-backed group has been observed leveraging Log4Shell attacks to drop a new PowerShell backdoor called CharmPower.	CVE-2021-44228 Vulnerability	Multiple Industries	CE	>1		AWS	Command and Control
11/01/2022	Since the second half of 2021	-	SysJoker	Multiple organizations	A new multi-platform backdoor malware named 'SysJoker' targets Windows, Linux, and macOS with the ability to evade detection on all three operating systems.	Malware	Multiple Industries	CC	>1		Google Drive	Command and Control
12/01/2022	Since 26/10/2021	-	?	Multiple Organizations	A new campaign leveraging public cloud infrastructure, deploying the Nanocore, Netwire, and AsyncRAT payloads.	Malware	Multiple Industries	CC	>1		AWS, Azure	Delivery and Distribution
13/01/2022	Since December 2021	During December 2021	Multiple threat actors	Office 365 users	Multiple campaigns emerge where phishers are creating Adobe Creative Cloud accounts and using them to send phishing emails capable of thwarting traditional checks.	Account Takeover	Multiple Industries	CC	>1		Adobe Creative Cloud	Delivery and Distribution
15/01/2022	Since 13/01/2021	13/1/2022	?	Multiple organizations in Ukraine	Microsoft warns of destructive data-wiping malware, dubbed WhisperGate, disguised as ransomware being used in attacks against multiple organizations in Ukraine.	Malware	Multiple Industries	CW	UA		Discord	Delivery and Distribution
19/01/2022	-	-	?	Crypto Wallet users	A novel modular crypto-wallet stealing malware dubbed 'BHUNT' targets cryptocurrency wallet contents, passwords, and security phrases.	Malware	Fintech	CC	>1		Pastebin	Delivery and Distribution
20/01/2022	During December 2021	During December 2021	Molerats	Individuals in Palestine and Turkey	State-sponsored cyberattackers are using Google Drive, Dropbox and other legitimate services to drop spyware on Middle-Eastern targets and exfiltrate data.	Targeted Attack	Individuals	CE	PS TR		Google Drive, Dropbox	Delivery and Distribution, Command and Control
21/01/2022	-	-	?	"hundreds" of Office 365 customers	Microsoft warns that Office 365 customers are receiving phishing emails that aim to trick them into giving OAuth permissions to a bogus app that then lets attackers read and write emails.	Account Takeover	Multiple Industries	CC	>1		Microsoft 365 Suite	Actions on Objective
24/01/2021	During December 2021	During December 2021	?	Multiple Organizations	Researchers from Netskope discover a campaign delivering multiple malware, such as AveMaria (a.k.a. Warzone) and AgentTesla, using Bitly to shorten URLs and different cloud services like MediaFire, Blogger, and GitHub to host the payloads.	Malware	Multiple Industries	CC	>1		MediaFire, Blogger, GitHub	Delivery and Distribution
25/01/2022	-	-	APT28 AKA Fancy Bear	High-ranking government and defense industry officials of a West Asian nation	Threat Actors from APT28 leverage Microsoft OneDrive services for command-and-control (C2) purposes in a sophisticated cyberespionage campaign aimed at high-ranking government and defense industry officials of a West Asian nation	Targeted Attack	Public Admin and defence, social security	CE	N/A		OneDrive	Command and Control
25/01/2022	Between July 27 and Dec. 1, 2021	Between July 27 and Dec. 1, 2021	Agent Tesla	Multiple Organizations	Researchers from Palo Alto observe a new surge of Agent Tesla and Dridex malware samples, dropped by Excel add-ins (XLL) and Office 4.0 macros.	Malware	Multiple Industries	CC	>1		Discord	Delivery and Distribution
26/01/2022	-	-	Dark Herring	Android users	Researchers from Zimperium reveal that more than 105 million Android users downloaded and installed the Dark Herring scamware from Google Play and third-party app stores.	Malware	Individual	CC	>1		AWS	Delivery and Distribution
27/01/2022	Beginning 18/01/2022	18/01/2022	?	Multiple Organizations	A new campaign named ‘OiVaVoii’, targets company executives and general managers with malicious OAuth apps and custom phishing lures sent from hijacked Office 365 accounts.	Account Takeover	Multiple Industries	CC	>1		Microsoft 365 Suite	Actions on Objective
28/01/2022	18/01/2022	18/01/2022	Lazarus Group AKA Hidden Cobra	Multiple Organizations	A new campaign by the Lazarus Group uses spear phishing attacks weaponized with malicious documents that use fake job opportunities masquerading as the global security and aerospace giant Lockheed Martin.	Targeted Attack	Multiple Industries	CE	>1		GitHub	Command and Control
28/01/2022	-	22/01/2021	?	Indian Army	Researchers from Cyble reveal that threat actors are targeting the Indian Army by creating fake, malicious versions of legitimate apps, such as Armaan, used by military personnel.	Targeted Attack	Public admin and defence, social security	CE	IN		Pastebin	Command and Control
31/01/2022	-	-	Eternal Silence	Vulnerable UPnP routers	A malicious campaign known as 'Eternal Silence' abusing Universal Plug and Play (UPnP) turns routers woridwide into proxy servers used to launch malicious attacks while hiding the location of the threat actors.	CVE-2017-0144 and CVE-2017-7494 vulnerabilities	Multiple Industries	CC	>1		Undisclosed Cloud Storage Service	Actions on Objective
02/02/2022	-	-	?	Asian Cloud Service Providers	A new malware called CoinStomp targets vulnerable cloud instances to mine cryptocurrency	Misconfiguration	Professional, scientific and technical	CC	>1		Undisclosed cloud services	Actions on Objective
02/02/2022	Since October 2021	During October 2021	UpdateAgent	Multiple organizations	Researchers from Microsoft discover a new campaign carried out with the Mac malware UpdateAgent, distributing the Adload payload.	Malware	Multiple Industries	CC	>1		AWS	Delivery and Distribution
04/02/2022	During January 2021	During January 2021	During January 2021	News Corp	American media and publishing giant News Corp discloses that it was the target of a "persistent" cyberattack, which reportedly allowed threat actors to access emails and documents of some News Corp employees, including journalists.	Account Takeover	Information and communication	CE	US		Undisclosed cloud service	Actions on Objective
08/02/2022	From November 2021 until late January 2022	During late 2021	TA402 (AKA Molerats)	Governments in Middle East, foreign policy think tanks, and a state-owned airline	Researchers from Proofpoint discover a new campaign by the Palestinian APT group tracked as TA402 (AKA Molerats) using a new implant named 'NimbleMamba' in a cyber-espionage campaign.	Targeted Attack	Multiple Industries	CE	>1		Dropbox	Delivery and Distribution, Command and Control
09/02/2022	Starting from 27/01/2022	27/01/2022	?	Multiple Organizations	Researchers from HP reveal that threat actors have started distributing fake Windows 11 upgrade installers to users of Windows 10, tricking them into downloading and executing the RedLine stealer malware.	Malware	Multiple Industries	CC	>1		Discord	Delivery and Distribution
14/02/2022	"Recently"	"Recently"	?	Single individuals	Researchers from Fortinet discover a campaign carried out via an Excel spreadsheet that purports to contain information about NFTs, but distributing the BitRAT malware.	Malware	Individual	CC	>1		Discord	Delivery and Distribution
15/02/2022	Since at least 2017	-	TA2541	Organizations in the aviation, transportation, and travel space	Researchers from Proofpoint reveal that for years, a low-skilled attacker, possibly from Nigeria, has been using off-the-shelf malware in malicious campaigns aimed at companies in the aviation sector as well as in other sensitive industries.	Malware	Transportation and storage	CC	>1		Google Drive, OneDrive, Discord	Delivery and Distribution
16/02/2022	Since April 2018	-	OilRig, AKA APT34, Lyceum and Siamesekitten	Diplomatic organizations, technology companies and medical organizations in Israel, Tunisia and the United Arab Emirates	Researchers from ESET reveal the details of "Out to Sea", a campaign carried out by the Iran-linked APT group OilRig, targeting diplomatic organizations, technology companies and medical organizations in Israel, Tunisia and the United Arab Emirates.	Targeted Attack	Multiple Industries	CE	>1		OneDrive	Command and Control
17/02/2022	During January 2022	During January 2022	?	Multiple Organizations	Researchers from Avanan warn that some attackers are compromising Microsoft Teams accounts to slip into chats and spread malicious executables to participants in the conversation.	Malware	Multiple Industries	CC	>1		Microsoft Teams	Delivery and Distribution
17/02/2022	-	-	TunnelVision	Corporate networks in the Middle East and the United States	An Iranian-aligned hacking group tracked as TunnelVision was spotted exploiting Log4j on VMware Horizon servers to breach corporate networks in the Middle East and the United States.	Targeted Attack	Multiple Industries	CE	>1		Pastebin, GitHub	Delivery and Distribution
21/02/2022	-	-	?	Multiple organizations	Researchers from Ahnlab discover a new version of the CryptBot info stealer distributed via multiple websites that offer free downloads of cracks for games and pro-grade software.	Malware	Multiple Industries	CC	>1		AWS	Delivery and Distribution
26/02/2022	-	-	Lampion	Portuguese Internet users	A new version of the Lampion trojan targets users in Portugal	Malware	Finance	CC	PT		AWS	Delivery and Distribution
01/03/2022	During February 2022	During February 2022	?	Android users	The TeaBot banking trojan was spotted once again in Google Play Store where it posed as a QR code app and spread to more than 10,000 devices.	Malware	Finance	CC	>1		GitHub	Delivery and Distribution
07/03/2022	Since at least 2020	Early November 2021	TA416	European diplomatic entities, including an individual involved in refugee and migrant services	Researchers from Proofpoint identify ongoing activity by the China-aligned APT actor TA416 in which the group is targeting European diplomatic entities, including an individual involved in refugee and migrant services.	Malware	Public admin and defence, social security	CE	>1		Dropbox	Delivery and Distribution
22/03/2022	Late 2021	Late 2021	Storm Cloud	Multiple Organizations	Researchers from Volexity discover a previously unknown macOS malware variant called GIMMICK, which is believed to be a custom tool used by a Chinese espionage threat actor known as 'Storm Cloud.'	Malware	Multiple Industries	CE	>1		Google Drive	Command and Control
29/03/2022	-	-	APT36, aka Transparent Tribe, Mythic Leopard	Indian Government	Researchers from Cisco Talos discover a new campaign from the hacking group tracked as APT36, using a new custom malware and entry vectors in attacks against the Indian government.	Targeted Attack	Public admin and defence, social security	CE	IN		Google Drive	Delivery and Distribution
29/03/2022	-	-	Multiple threat actors	Educational institutions in the United States, Europe and Australia	Researchers from Proofpoint discover a new campaign sending fake job emails to educational institutions in the United States, Europe and Australia.	Account Takeover	Multiple Industries	CC	>1		Google Forms	Delivery and Distribution
30/03/2022	-	-	?	Multiple organizations	A new phishing campaign abuses Microsoft Azure's Static Web Apps service to steal Microsoft, Office 365, Outlook, and OneDrive credentials.	Account Takeover	Multiple Industries	CC	>1		Microsoft Azure	Delivery and Distribution
05/04/2022	-	-	?	Multiple organizations	Researchers from Cisco Talos discover new campaigns using ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims.	Malware	Multiple Industries	CC	>1		Microsoft OneDrive, Discord	Delivery and Distribution
06/04/2022	'Recently'	'Recently'	APT-C-23	Israeli individuals including a group of high-profile targets working for sensitive defense, law enforcement, and emergency services organizations.	Cybereason recently discovered a new elaborate campaign targeting Israeli individuals, among them, a group of high-profile targets working for sensitive defense, law enforcement, and emergency services organizations.	Targeted Attack	Public admin and defence, social security	CE	IL		Google Firebase	Command and Control
07/04/2022	-	-	?	Multiple organizations	Researchers from Cado Security discover Denonia, the first malware specifically developed to target Amazon Web Services (AWS) Lambda cloud environments with cryptominers.	Malware	Multiple Industries	CC	>1		AWS	Actions on Objective
12/04/2022	Early 2022	Early 2022	?	African Banking Sector	Researchers from HP discover a campaign targeting the African Banking Sector via the RemcosRAT.	Malware	Finance	CC	>1		Microsoft OneDrive, Dropbox	Delivery and Distribution
15/04/2022	12/04/2022	12/04/2022	?	Multiple organizations	GitHub reveals that an attacker is using stolen OAuth user tokens (issued to Heroku and Travis-CI) to download data from private repositories.	Account Takeover	Multiple Industries	CC	>1		GitHub	Actions on Objective
16/04/2022	22/03/2022 and 25/02/2022	-	OldGremlin	Organizations in Russia	Researchers from Group-IB discover two campaigns by the OldGremlin criminal group targeting organizations in Russia.	Malware	Multiple Industries	CC	RU		Dropbox	Delivery and Distribution
20/04/2022	During March 2022	-	?	Facebook users	Researchers at Abnormal Security reveal the detail of a phishing campaign leveraging the Facebook infrastructure.	Account Takeover	Individual	CC	>1		Facebook	Delivery and Distrbution
26/04/2022	Since at least one year	-	Lazarus Group	Users in South Korea	Researchers from Zscaler reveal the details of a campaign carried out by the North Korean Lazarus Froup, targeting users in South Korea using Naver-themed credential phishing.	Targeted Attack	Individual	CE	KR		Dropbox	Command and Control
26/04/2022	Between 04/04/2022 and 19/04/2022	Between 04/04/2022 and 19/04/2022	TA542	Multiple organizations	Researchers from Proofpoint identify a new low-volume Emotet campaign using Onedrive links to distribute the malicious payload.	Malware	Multiple Industries	CC	>1		Onedrive	Delivery and Distrbution
27/04/2022	'Recently'	'Recently'	?	Users applying for Thailand travel passes	Researchers from Zscaler discover a malware campaign targeting users applying for Thailand travel passes. The end payload of many of these attacks is AsyncRAT.	Malware	Individuals	CC	TH		AWS, OneDrive	Delivery and DIstribution
29/04/2022	SInce mid-January 2022	SInce mid-January 2022	APT29 AKA Cozy Bear or Nobelium	Diplomats and government entities	Researchers from Mandiant uncover a recent phishing campaign from Russian hackers known as APT29 (Cozy Bear or Nobelium) targeting diplomats and government entities.	Targeted Attack	Public admin and defence, social security	CE	>1		Trello, Firebase, Dropbox	Delivery and Distribution
03/05/2022	During the last few weeks	During the last few weeks	COLDRIVER AKA Calisto	Government and defense officials, politicians, NGOs and think tanks, and journalists	Google's Threat Analysis Group reveals that the Russian threat actor Calisto is targeting government and defense officials, politicians, NGOs and think tanks, and journalists via phishing links directly in the email, linking to PDFs and/or DOCs hosted on Google Drive and Microsoft One Drive.	Targeted Attack	Multiple Industries	CE	>1		Google Drive, Microsoft OneDrive	Delivery and Distribution
18/05/2022	18/05/2022	18/05/2022	?	Collectors of NFTs	A compromised NFT Discord Server of Memeland, RTFKT, PROOF/Moonbirds and infrastructure company Cyberconnect is used to deliver phishing pages.	Account Takeover	Fintech	CC	>1		Discord	Delivery and Distribution
19/05/2022	During April 2022	During April 2022	?	Multiple organizations	Researchers from Zscaler discover a new collection of phishing domains offering up fake Windows 11 installers that actually deliver the Vidar information-stealing malware.	Malware	Multiple Industries	CC	>1		GitHub	Delivery and Distribution
19/05/2022	During December 2021	During December 2021	Dridex	Multiple organizations	Researchers from Palo Alto observe a new surge of Dridex malware samples, dropped by Excel add-ins (XLL) and Office 4.0 macros.	Malware	Multiple Industries	CC	>1		OneDrive, Discord	Delivery and Distribution
24/05/2022	At least since 22/05/2021	22/05/2021	?	Multiple organizations	The popular PyPI module 'ctx' that gets downloaded over 20,000 times a week is compromised in a software supply chain attack with malicious versions stealing the developer's environment variables, to collect secrets like Amazon AWS keys and credentials.	Malware	Multiple Industries	CC	>1		AWS	Actions on Objective
30/05/2022	-	-	?	Pegasus Airlines	Turkish flight operator Pegasus Airlines suffers a data breach after an AWS cloud storage bucket is reportedly left unprotected and there was unauthorized access to certain information held by carrier.	Misconfiguration	Transportation and storage	CC	TR		AWS	Actions on Objective
02/06/2022	Since March 2022	-	POLONIUM	Organizations in Israel	Researchers from Microsoft say they blocked a Lebanon-based hacking group tracked as Polonium from using the OneDrive cloud storage platform for data exfiltration and command and control while targeting and compromising Israeli organizations.	Targeted Attack	Multiple Industries	CE	IL		Microsoft OneDrive	Command and Control
02/06/2022	'Recently'	'Recently'	YourCyanide	Multiple organizations	Researchers from Trend Micro discover a ransomware variant, called YourCyanide.	Malware	Multiple Industries	CC	>1		Discord, Pastebin	Delivery and Distribution
04/06/2022	04/06/2022	04/06/2022	?	Cryptocurrency users	Attackers reportedly steal over $257,000 in Ethereum and thirty-two NFTs after the Yuga Lab's Bored Ape Yacht Club and Otherside Metaverse Discord servers are compromised to post a phishing scam.	Account Takeover	Fintech	CC	>1		Discord	Delivery and Distribution
08/06/2022	Since at least September 2021	During April-May 2022	?	Facebook users	Researchers from PIXM uncover a large-scale phishing operation that abused Facebook and Messenger to lure millions of users to phishing pages, tricking them into entering their account credentials and seeing advertisements.	Account Takeover	Individual	CC	>1		Facebook	Delivery and Distribution
14/06/2022	-	-	?	Multiple organizations	Researchers from Resecurity identify a spike in phishing content delivered via Azure Front Door (AFD), a cloud CDN service provided by Microsoft.	Account Takeover	Multiple Industries	CC	>1		Microsoft Azure	Delivery and Distribution
22/06/2022	'Recently'	'Recently'	Tropic Trooper	Multiple organizations	Researchers from Check Point discover a new campaign attributed to the Chinese "Tropic Trooper" group, which employs a novel loader called Nimbda and a new variant of the Yahoyah trojan.	Targeted Attack	Multiple Industries	CE	>1		GitHub	Delivery and Distribution
23/06/2022	Since at least 13/06/2022	Between 13/06/2022 and 20/06/2022	?	Multiple organizations	Researchers from Sonatype discover multiple Python packages that exfiltrate AWS credentials and environment variables, and upload them to a publicly exposed endpoint.	Malware	Multiple Industries	CC	>1		AWS	Actions on Objective
23/06/2022	44734	44734	?	Fast Shop	Fast Shop, one of Brazil's largest retailers, has suffered an 'extortion' cyberattack that led to network disruption and the temporary closure of its online store.The threat actors claimed they were actively able to access the firm's databases on AWS, Azure, GitLab, and IBM cloud, stealing website/app source code and valuable user and corporate data.		Wholesale and retail	CC	Unknown		AWS, Microsoft Azure, GitLab	Actions on Objective
23/06/2022	Starting in May 2022	Early May 2022	?	individuals	Researchers from Avanan discover a campaign eploiting the domain of QuickBooks to send malicious invoices and request payments.	Account Takeover	Individual	CC	>1		QuickBooks	Delivery and Distribution
28/06/2022	During May 2022	-	?	Facebook users	Researchers from Trustwave discover a new phishing attack, using Facebook Messenger chatbots to impersonate the company's support team and steal credentials used to manage Facebook pages.	Account Takeover	Individual	CC	>1		Facebook	Delivery and Distribution
28/06/2022	-	-	?	Multiple organizations	Researchers from Avast discover an online community formed by teenagers, creating, exchanging, and spreading malware on the popular communication platform Discord.	Malware	Multiple Industries	CC	>1		Discord	Delivery and Distribution
29/06/2022	-	-	YTStealer	YouTube content creators	Researchers from Intezer reveal the details of YTStealer, a new information-stealing malware targeting YouTube content creators and attempting to steal their authentication tokens and hijack their channels.	Malware	Arts entertainment, recreation	CC	>1		YouTube	Actions on Objective
30/06/2022	-	-	PennyWise	Individuals	Researchers from Cyble discover Pennywise, an infostealer focused on stealing sensitive browser data and cryptocurrency wallets, distributed via YouTube videos.	Malware	Individual	CC	>1		YouTube	Delivery and Distribution
05/07/2022	Since at least 19/05/2022	19/05/2022	APT29 AKA Cozy Bear, NOBELIUM, The Duke	Multiple organizations	Researchers from Palo Alto discover a new campaign by the APT29 threat group, shifting away from the Cobalt Strike post-exploitation toolkit, instead embracing Brute Ratel C4 (BRc4).	Targeted Attack	Multiple Industries	CE	>1		AWS	Command and Control
05/07/2022	-	-	Lazarus Group	Multiple organizations in Japan	The Japan CERT (JPCERT) discover a new version of the VSingle malware, used by the Lazarus Group, able to retrieve the C2 servers information from GitHub.	Malware	Multiple Industries	CE	JP		GitHub	Command and Control
07/07/2022	-	-	?	Multiple organizations	Researchers from Trend Micro reveal the details of a campaign targeting Azure Virtual Machines (VMs) and GitHub Actions (GHAs) to mine cryptocurrencies.	Misconfiguration	Multiple Industries	CC	>1		Azure, GitHub	Actions on Objective
07/07/2022	Since over a year	-	TA578	Multiple organizations	Website owners are targeted with fake copyright infringement complaints that utilize Yandex Forms to distribute the IcedID banking malware.	Malware	Multiple Industries	CC	>1		Yandex Forms	Delivery and Distribution
13/07/2022	Since December 2021	Since December 2021	?	Google Workspace and Microsoft 365 users	Researchers from Inky detect a new campaign where cybercriminals are posing as Intuit's popular accounting software package QuickBooks to target Google Workspace and Microsoft 365 small business users in a voice-phishing scam.	Account Takeover	Multiple Industries	CC	>1		QuickBooks	Delivery and Distribution
14/07/2022	Since February 2022	-	TA453 AKA Charming Kitten	Academics and policy experts working on Middle Eastern foreign affairs	Researchers from Proofpoint reveal the details of a campaign carried out by the Iranian group TA453, AKA Charming Kitten targeting academics and policy experts working on Middle Eastern foreign affairs.	Account Takeover	Information and communication	CE	>1		Dropbox	Delivery and Distribution
15/07/2022	-	-	WatchDog	Multiple organizations	Researchers from Lacework reveal the details of a cryptojacking campaign using steganography.	Malware	Multiple Industries	CC	>1		Alibaba Cloud	Actions on Objective
18/07/2022	Recently'	Recently'	Coper	Android users	Researches from Zscaler discover a new wave of infections in the Google Play store carried out via the Coper malware.	Malware	Individual	CC	>1		GitHub	Delivery and Distribution
18/07/2022	Over the last month	Over the last month	The 8220 Gang	Multiple organizations	Researchers from Sentinel One reveal the details of the latest campaign by the 8220 gang, exploiting Linux and cloud app vulnerabilities, such as Docker, Redis, Confluence, and Apache, to grow their botnet to more than 30,000 infected hosts.	Misconfiguration	Multiple Industries	CC	>1		AWS, Microsoft Azure, Google Cloud Platform	Actions on Objective
19/07/2022	'Recently'	'Recently'	COLDRIVER AKA Callisto	Government and defense officials, politicians, NGOs and think tanks, and journalists	Researchers from the Google's Threat Analysis Group (TAG) reveal that the Russian threat actor COLDRIVER continues to send credential phishing emails to targets including government and defense officials, politicians, NGOs and think tanks, and journalists.	Account Takeover	Individual	CW	UA		Google Drive, Microsoft OneDrive	Delivery and Distribution
19/07/2022	Between early May and June 2022.	SInce May 2022	APT29 (aka Cozy Bear or Nobelium)	Western diplomatic missions and foreign embassies worldwide	Researchers from Palo Alto Networks reveal the details of a new campaign from APT29 leveraging Dropbox and Google Drive to evade detection.	Targeted Attack	Public Admin and defence, social security	CE	>1		Dropbox, Google Drive	Delivery and Distrbution (Dropbox), Command and Control (Google Drive)
19/07/2022	During April 2022	During April 2022	CloudMensis	MacOS users	Researchers from ESET reveal the details of CloudMensis, a mysterious spyware targeting MacOS users.	Malware	Multiple Industries	CE	>1		Dropbox, pCloud, Yandex Cloud	Delivery and Distrbution (pCloud), Command and Control (Dropbox, pCloud, Yandex Cloud)
21/07/2022	-	-	?	Multiple organizations	Researchers from Trend Micro identify a malicious campaign using the object storage service (OSS) of Alibaba Cloud (also known as Aliyun) for malware distribution and illicit cryptocurrency-mining activities	Misconfiguration	Multiple Industries	CC	>1		Alibaba Cloud	Actions on Objective
25/07/2022	Since at least 19/07/2022	UAC-0041	?	Individuals in Ukraine	The computer emergency response team of Ukraine CERT-UA discovers a campaign with malicious e-mails with the subject "Final payment" and an attachment of the same name in the form of a TGZ archive. The archive contains an EXE file classified as the RelicRace .NET downloader, designed to download, decode and run the RelicSource malicious .NET program in memory.	Malware	Individual	CE	UA		Microsoft OneDrive	Delivery and Distribution
26/07/2022	Since at least 2018	-	Vietnamese threat actors	Professionals on LinkedIn	Researchers from WithSecure reveal the details of a new phishing campaign codenamed 'Ducktail', targeting professionals on LinkedIn to take over Facebook business accounts that manage advertising for the company.	Account Takeover	Multiple Industries	CC	>1		Dropbox, iCloud, MediaFire	Delivery and Distribution
29/07/2022	End of 2021	-	DawDropper	Android users	Researchers from Trend Micro discover a new mobile malware campaign, dubbed DawDropper, and delivering four types of banking trojan: TeaBot, Octo, Hydra and Ermac.	Malware	Individual	CC	>1		Google Firebase (Command and Control), GitHub (Delivery and Distribution)	Google Firebase (Command and Control), GitHub (Delivery and Distribution)
01/08/2022	-	-	?	Users of the Atomic wallet	A fake website impersonating the official portal for the Atomic wallet, a popular decentralized wallet that also operates as a cryptocurrency exchange portal, is, in reality, distributing copies of the Mars Stealer information-stealing malware.	Malware	Fintech	CC	>1		Discord	Delivery and Distribution
02/08/2022	Since late 2021	-	Charming Kitten (AKA PHOSPHORUS, UNC788, Yellow Garuda)	Multiple organizations and individuals	Researchers from PWC discover a new campaign by the Iranian threat actor Charming Kitten using a new Telegram grabber tool and malicious macro-enabled Word documents.	Targeted Attack	Multiple Organizations	CE	>1		AWS, Azure	Delivery and Distribution
02/08/2022	'Recently'	'Recently'	SolidBit	League of Legend gamers	Researchers from Trend Micro discover a variant of the SolidBit ransomware targeting gamers of the popular League of Legend game.	Malware	Arts entertainment, recreation	CC	>1		GitHub	Delivery and Distribution
03/08/2022	-	-	?	Multiple organizations	Security researchers discover a massive attack carried out by cloning 35,000 GitHub repositories with malware-infected copies.	Malware	Multiple Industries	CC	>1		GitHub	Delivery and Distribution
04/08/2022	'Recently'	'Recently'	Ousaban	Banking users	Researchers from Netskope discover a new variant of the Ousaban financial malware that are abuse multiple cloud services throughout the attack flow.	Malware	Finance	CC	>1		AWS, Microsoft Azure, Pastebin	Command and Control (AWS and Microsoft Azure), Delivery and Distribution (Pastebin)
04/08/2022	Since at least February 2022	-	Lazarus Group	Employees in the fintech industry	A new social engineering campaign by the notorious North Korean Lazarus hacking group is discovered, with the hackers impersonating Coinbase to target employees in the fintech industry.	Malware	Fintech	CC	>1		GitHub	Command and Control
04/08/2022	During May 2022	During May 2022	?	Multiple organizations	Researchers from Avanan discover a new phishing campaign exploiting the popular app LucidChart to host phishing pages.	Account Takeover	Multiple Organizations	CC	>1		LucidChart	Delivery and Distribution
05/08/2022	During Q2 2022	During Q2 2022	APT36	Individuals in Afghanistan, India, Pakistan, UAE, and Saudi Arabia	Researchers from Meta reveal to have discovered and taken down a new campaign carried out by APT36 via a new malware called LazaSpy.	Malware	Individual	CE	AF IN PK AE SA		WeTransfer	Delivery and Distribution
09/08/2022	Throughout 2022	Throughout 2022	?	Crypto users	Researchers from Netskope discover a campaign where attackers have been creating phishing pages in Google Sites and Microsoft Azure Web App to steal cryptocurrency wallets and accounts from Coinbase, MetaMask, Kraken, and Gemini.	Account Takeover	Fintech	CC	>1		Google Sites, Microsoft Azure	Delivery and Distribution
11/08/2022	During April 2022	-	?	Best Buy Users	Researchers from Avanan discover a new phishing campaign spoofing Best Buy and using Google Cloud Storage to host the malicious infrastructure.	Account Takeover	Individual	CC	US		Google Cloud Storage	Delivery and Distribution
12/08/2022	-	-	?	Organizations in the Healthcare Sector	The Health Sector Cybersecurity Coordination Center (HC3) warns the healthcare sector of a new phishing scheme that lures recipients to an Evernote site containing a downloadable Trojan file that steals credentials.	Malware	Human health and social work	CC	US		Evernote	Delivery and Distribution
14/08/2022	13/08/2022	13/08/2022	devfather777	Russian Counter-Strike 1.6 server	Researchers from Checkmarx detect a large-scale attack on the Python ecosystem uploading 12 typosquatting packages to the PyPi repository, containing malware performing DDoS attacks on a Counter-Strike 1.6 server.	Malware	Arts entertainment, recreation	CC	RU		GitHub	Delivery and Distribution
15/08/2022	-	-	SEABORGIUM (AKA ColdRiver and TA446)	People and organizations in NATO countries	The Microsoft Threat Intelligence Center (MSTIC) announces to have disrupted a hacking and social engineering operation linked to a Russian threat actor tracked as SEABORGIUM targeting people and organizations in NATO countries.	Targeted Attack	Multiple Industries	CE	>1		Microsoft OneDrive	Delivery and Distribution
16/08/2022	SInce 01/08/2022	-	scarycoder	Single Individuals	Researchers from Snyk discover a dozen malicious PyPi packages installing malware that modifies the Discord client to become an information-sealing backdoor and stealing data from web browsers and Roblox.	Malware	Individual	CC	>1		Discord	Delivery and Distribution
17/08/2022	Since at least 2015	-	DarkTortilla	Multiple organizations	Researchers from Secureworks' Counter Threat Unit (CTU) expose DarkTortills, a highly pervasive .NET-based crypter that has flown under the radar since about 2015 and can deliver a wide range of malicious payloads like AgentTesla, AsyncRat, NanoCore, and RedLine, Cobalt Strike and Metasploit.	Malware	Multiple Industries	CC	>1		Pastebin	Delivery and Distribution
18/08/2022	End of July 2022	-	?	Multiple organizations	Researchers from Avanan discover a wave of phishing campaigns hosting the phishing pages on AWS.	Account Takeover	Multiple Industries	CC	>1		AWS	Delivery and Distribution
18/08/2022	-	-	APT29 AKA Cozy Bear	NATo countries	Researchers from Mandiant reveal that the Russian cyber espionage group APT29 (Cozy Bear) is targeting Microsoft 365 accounts of NATO countries, disabling 'Advanced Audit' to go undetected.	Targeted Attack	Public admin and defence, social security	CE	>1		Microsoft Azure	Command and Control
18/08/2022	Since June 2022	-	Grandoreiro	Chemicals manufacturer in Spain and automotive and machinery makers in Mexico	Researchers from Zscaler discover a new campaign of the Grandoreiro banking trojan, targeting employees of a chemicals manufacturer in Spain and workers of automotive and machinery makers in Mexico.	Malware	Manufacturing	CC	ES MX		Microsoft Azure	Delivery and Distribution
24/08/2022	During August 2022	During August 2022	?	Dozens of organizations worldwide	Researchers from Cofense discover an elaborate and rather unusual phishing campaign spoofing eFax notifications and using a compromised Dynamics 365 Customer Voice business account to lure victims into giving up their credentials via microsoft.com pages.	Account Takeover	Multiple Industries	CC	>1		Microsoft Dynamics 365	Delivery and Distribution
25/08/2022	Since early 2022	-	Kimsuky (AKA Thallium, Black Banshee and Velvet Chollima)	Political and diplomatic entities in South Korea	Researchers from Kaspersky discover GoldDragon, a new campaign by the North Korean nation-state group Kimusky directed against political and diplomatic entities located in its Southern counterpart.	Targeted Attack	Public admin and defence, social security	CE	KR		Blogger	Delivery and Distribution
Date Reported	Date Occurred	Date Discovered	Author	Target	Description	Attack	Target Class	Attack Class	Geo	Link	Exploited Service	Motivation

Enjoy the interactive timeline, and thanks for sharing it, and supporting my work in spreading the risk awareness across the community. Also, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.

SUPPORT MY WORK!

October 2022 Cyber Attacks Statistics
After the cyber attacks timelines, it’s time to publish the statistics of October 2022 where I have collected and analyzed...
2020 Cyber Attacks Statistics
As promised, I have pulled together some statistics from the data collected in 2020. The master table is available at the end of the post after the charts.
The Biggest Data Breaches of 2021
With this new project I am going to track the biggest data breaches of 2021 extracted from my cyber attack timelines.
16-31 October 2022 Cyber Attacks Timeline
In the second timeline of October, I have collected 130 events (corresponding to 8.13 events/day), a noticeable drop compared to the 144 of the previous timeline. I wonder if...
The Biggest Data Breaches of 2022
Similarly to what I have done in 2021, I am collecting all the mega breaches (with more than 1 million records leaked). The information is derived from the cyber attacks timelines...