Similarly to what I have done in 2022, 2021, and 2020, I am listing those cyber attacks, whose information is available via OSINT, which exploited the cloud in one or more stages of the attack chain.
The campaigns are classified in four categories: Delivery and Exploitation (the cloud service is exploited to deliver a malware strain or a phishing page), Actions on Objective (the cloud service is exploited to steal data, or launch other attacks), Command and Control (the cloud service is exploited as a command and control infrastructure), and Data Exfiltration (the cloud service is used as a drop zone for the exfiltrated data).
Below you will find some statistics and a table with detailed information on the attacks.
Cloud-Native Threats 2023 - Top Exploited Cloud Services
No Data Found
Cloud-Native Threats 2023 - Top Exploitation Purposes
No Data Found
Cloud-Native Threats 2023 - Motivations
No Data Found
Cloud-Native Threats 2023 - Top Exploited Services: Delivery
No Data Found
Cloud-Native Threats 2023 - Top Exploited Services: Command and Control
No Data Found
Cloud-Native Threats 2023 - Top Exploited Services: Actions on Objective
No Data Found
Cloud-Native Threats 2023 - Top Exploited Services: Data Exfiltration
No Data Found
Cloud-Native Threats 2023 - Top Exploited Services: Cyber Crime
No Data Found
Cloud-Native Threats 2023 - Top Exploited Services: Cyber Espionage
No Data Found
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Geo
Link
Exploited Service
Motivation
05/01/2023
For the last few months''
-
APT-C-36 AKA Blind Eagle
Organizations in Colombia
Researchers from Check Point discover a new campaign using a modified version of QuasarRAT against Colombia based organizations.
Malware
Multiple Industries
Cyber Crime
CO
Mediafire
Delivery and Distribution
06/01/2023
Since early 2020
Recently'
Vidar
Multiple organizations
Researchers from Sekoia discover a massive campaign using over 1,300 domains to impersonate the official AnyDesk site for pushing the Vidar information-stealing malware.
Malware
Multiple Industries
Cyber Crime
>1
Dropbox, GitHub
Delivery and Distribution
06/01/2023
Since at least early December 2022
Early December 2022
?
Organizations in Italy
Researchers from Uptycs discover a new campaign targeting users in Italy, and delivering targeting phishing emails disguised as invoices, designed to deploy an information stealer on compromised Windows systems.
Malware
Multiple Industries
Cyber Crime
IT
Dropbox, GitHub
Delivery and Distribution
13/01/2022
Recently'
Recently'
?
Organizations in South Korea
Researchers at Ahnlab discover a campaign distributing the Orcus RAT on file-sharing sites disguised as a cracked version of Hangul Word Processor.
Malware
Multiple Industries
Cyber Crime
KR
Google Docs
Delivery and Distribution
17/01/2023
During November 2022
During November 2022
?
Undisclosed retailer
Researchers from IBM X-Force discover a PoS malware using Discord as the command and control infrastructure.
Malware
Wholesal and Retail
Cyber Crime
N/A
Discord
Command and Control
17/01/2023
-
-
Earth Boogle
Organizations across the Middle East and North Africa
Researchers from Trend Micro discover an active campaign using Middle Eastern geopolitical-themed lures to distribute NjRAT (also known as Bladabindi) has been spotted infecting victims across the Middle East and North Africa.
Targeted Attack
Multiple Industries
Cyber Espionage
>1
Discord, Microsoft OneDrive
Delivery and Distribution
19/01/2023
Since at last September 2022
During September 2022
Roaming Mantis (AKA Shaoye)
Multiple organizations
Researchers from Kaspersky reveal that Roaming Mantis malware distribution campaign has updated Wroba.o/XLoader, its Android malware to include a DNS changer that modifies DNS settings on vulnerable WiFi routers to spread the infection to other devices.
Malware
Multiple Industries
Cyber Crime
>1
Google Docs, YouTube
Command and Control
19/01/2023
'Recently'
'Recently'
8220
Multiple organizations
The for-profit Chinese threat group, 8220 Gang, is observed targeting cloud service providers and poorly secured apps. The group was observed using a cryptominer and IRC botnet to churn financial advantage out of public cloud infrastructure.
Misconfigurations
Multiple Industries
Cyber Crime
>1
Pastebin, Git
Delivery and Distribution
20/01/2023
Recently'
Recently'
Album stealer
Facebook users
Researchers from Zscaler discover Album stealer, targeting Facebook adult-only content seekers.
Researchers from Blackberry discover new attacks by the Gamaredon group leveraging the popular messaging app Telegram to strike military and law enforcement sectors in the country.
Targeted Attack
Public admin and defence, social security
Cyber Espionage
UA
Telegram
Command and Control
24/01/2023
'Recently'
'Recently'
DragonSpark
Organizations in East Asia
Researchers from SentinelOne discover a Chinese-speaking hacking group tracked as ‘DragonSpark’ employing SparkRAT and Golang source code interpretation to evade detection while launching espionage attacks against organizations in East Asia.
Targeted Attack
Multiple Industries
Cyber Espionage
>1
AWS
Delivery and Distribution
24/01/2023
Since at least November 2021
During November 2021
GuLoader
e-commerce industry located in South Korea and the United States
Researchers at Trellix discover a GuLoader campaign targeting e-commerce industries located in South Korea and the United States, and distributing the malware via NSIS files.
Malware
Wholesale and retail
Cyber Crime
KR
US
Google Drive
Delivery and Distribution
25/01/2023
Since August 2022
-
PY#RATION
Multiple organizations
Researchers from Securonix discover PY#RATION, a new Python-based malware featuring remote access trojan (RAT) capabilities.
Malware
Multiple Industries
Cyber Crime
>1
Google Drive, Dropbox
Delivery and Distribution
31/01/2023
Between 06/12/2024 and 27/12/2023
6/12/2022
?
Multiple organizations
Microsoft disables multiple fraudulent, verified Microsoft Partner Network accounts for creating malicious OAuth applications that breached organizations' cloud environments to steal email.
Account Takeover
Multiple Industries
Cyber Crime
>1
Microsoft Office 365 Suite
Actions on Objective
31/01/2023
Recently'
Recently'
?
Multiple organizations
Researchers at Fortinet discover a new campaign aimed to cryptojack systems to mine for Monero (XMR) cryptocurrency.
Malware
Multiple Industries
Cyber Crime
>1
Microsoft Onedrive
Delivery and Distribution
01/02/2023
Since at least September 2022
During September 2022
?
Online gaming and gambling companies
Researchers at Security Joe discover that unknown attackers have been targeting online gaming and gambling companies with what appears to be a previously unseen backdoor that researchers have named IceBreaker.
Malware
Arts entertainment, recreation
Cyber Crime
N/A
Dropbox
Delivery and Distribution
02/02/2023
Since 26/02/2023
30/01/2023
Trexon
Multiple organizations
Researchers from Fortinet discover a new attack in a PyPI package (Python Package Index) called “web3-essential”.
Malware
Multiple Industries
Cyber Crime
>1
Discord
Delivery and Distribution
08/02/2023
Between 27/01/2023 and 29/01/2023
-
?
Multiple organizations
Researchers at Fortinet discover five malicious packages on the Python Package Index (PyPI) containing the W4SP Stealer, stealing passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers.
Malware
Multiple Industries
Cyber Crime
>1
Discord
Delivery and Distribution
09/02/2023
30/01/2023 and 31/01/2023
30/1/2023
?
Multiple organizations
Researchers from Sentinel One discover a new phishing campaign targeting Amazon Web Services (AWS) logins and abusing Google ads to inject phishing sites into Google Search.
Malvertising
Multiple Industries
Cyber Crime
>1
Blogger
Delivery and Distribution
16/02/2023
Since at lest May 2022
Between August 2022 and January 2023
?
Chinese-speaking individuals in Southeast and East Asia
Researchers from ESET discover a campaign targeting Chinese-speaking individuals in Southeast and East Asia via rogue Google Ads that deliver remote access trojans such as FatalRAT to compromised machines.
Malware
Individual
Cyber Crime
CN
HK
ID
JP
MY
MM
PH
SG
TH
TW
Alibaba Cloud
Delivery and Distribution
16/02/2023
-
-
WIP26
Telecommunication providers in the Middle East
Researchers at Sentinel One discover a new threat cluster tracked as WIP26 targeting telecommunication providers in the Middle East.
Targeted Attack
Information and Communication
Cyber Espionage
>1
Azure, Dropbox, Google Firebase, Microsoft 365 Mail
Delivery and Distribution
Command and Control
16/02/2023
Since January 2022
During January 2022
Earth Yako
Researchers in the academic sector and think tanks
Researchers at Trend Micro discover a new campaign of the Earth Yako group targeting researchers in the academic sector and think tanks in Japan.
Targeted Attack
Education
Cyber Espionage
JP
Dropbox, GitHub
Command and Control
20/02/2023
02/12/2022
04/12/2022
?
Activision
Activision confirms that it suffered a data breach in early December 2022 after hackers gained access to the company's internal systems by tricking an employee with an SMS phishing text.
Account Takeover
Arts entertainment, recreation
Cyber Crime
US
Slack
Actions on Objective
20/02/2023
27/01/2023
31/01/2023
‘Portugal’ and ‘Brazil’
Multiple organizations
Researcehers from Fortinet discover another 0-day attack in the PyPI packages (Python Package Index) by the malware authors ‘Portugal’ and ‘Brazil’ who published the packages ‘xhttpsp’ and ‘httpssp’.
Malware
Multiple Industries
Cyber Crime
>1
Discord, Telegram
Ex
23/02/2023
-
-
?
Government entities
Researchers from Menlo Security uncover an unknown threat actor leveraging an evasive threat campaign distributed via Discord that features the PureCrypter downloader and targeting government entities.
Malware
Public admin and defence, social security
Cyber Crime
N/A
Discord
Delivery and Distribution
26/02/2023
25/02/2023
25/02/2023
?
Multiple organizations
Researchers from Sonatype discover an open source malware campaign in which a threat actor is infiltrating the PyPI software registry with thousands of malicious packages.
Malware
Multiple Industries
Cyber Crime
>1
Dropbox
Delivery and Distribution
27/02/2023
Between 12/08/2022 and 26/10/2022
-
?
LastPass
LastPass discloses more information on a "coordinated second attack," where a threat actor accessed and stole data from the Amazon AWS cloud storage servers for over two months.
Account Takeover
Professional, scientific and technical
Cyber Crime
US
AWS
Actions on Objective
28/02/2023
'Recently'
'Recently'
SCARLETEEL
Undisclosed organization
Researchers from Sysdig discover an advanced hacking operation dubbed 'SCARLETEEL' targeting public-facing web apps running in containers to infiltrate cloud services and steal sensitive data.
Misconfiguration
Unknown
Cyber Crime
N/A
AWS
Actions on Objective
02/03/2023
Since January 2023
'Recently'
Mustang Panda
Government and political organizations in Europe and Asia, focusing on Taiwan and Ukraine.
Researchers from ESET reveal that the Chinese cyber espionage hacking group Mustang Panda was seen deploying a new custom backdoor named 'MQsTTang' in attacks starting this year.
Targeted Attack
Public admin and defence, social security
Cyber Espionage
TW
UA
GitHub
Delivery and Distribution
06/03/2023
-
-
?
Eastern European institutions and businesses
Researchers from SentinelOne discover phishing campaigns that distribute the Remcos RAT using the DBatLoader malware loader to target predominantly Eastern European institutions and businesses.
Malware
Multiple Industries
Cyber Crime
>1
Microsoft OneDrive, Google Drive
Delivery and Distribution
15/03/2023
-
-
?
Multiple organizations
Researchers from Avast reveal that cybercriminals are abusing Adobe Acrobat Sign, an online document signing service, to distribute the redline info-stealing malware to unsuspecting users.
Malware
Multiple Industries
Cyber Crime
>1
Adobe Acrobat Sign
Delivery and Distribution
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Geo
Link
Exploited Service
Motivation
Enjoy the interactive timeline, and thanks for sharing it, and supporting my work in spreading the risk awareness across the community. Also, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, or Mastodon for the latest updates.
This blog post lists the main cloud-native threats, that is those cyber events exploiting the cloud in one or more stage of the kill chain. I have collected…
I am starting a new project to track cloud-native threats, similarly to what I have done in 2020, with an interactive timeline. As soon as I collect more data I will start to generate some statistics.
Among the various things that I have done in 2020, there is the collection of the main cyber attacks that have exploited cloud services in the kill chain. I have built…
As promised, I have pulled together some statistics from the data collected in 2020. The master table is available at the end of the post after the charts.
I am starting a new project to track cloud-native threats, similarly to what I have done in 2020, with an interactive timeline. As soon as I collect more data I will start to generate some statistics.