Similarly to what I have done in 2022, 2021, and 2020, I am listing those cyber attacks, whose information is available via OSINT, which exploited the cloud in one or more stages of the attack chain.
The campaigns are classified in four categories: Delivery and Exploitation (the cloud service is exploited to deliver a malware strain or a phishing page), Actions on Objective (the cloud service is exploited to steal data, or launch other attacks), Command and Control (the cloud service is exploited as a command and control infrastructure), and Data Exfiltration (the cloud service is used as a drop zone for the exfiltrated data).
Below you will find some statistics and a table with detailed information on the attacks.
Cloud-Native Threats 2023 - Top Exploited Cloud Services
No Data Found
Cloud-Native Threats 2023 - Top Exploitation Purposes
No Data Found
Cloud-Native Threats 2023 - Motivations
No Data Found
Cloud-Native Threats 2023 - Top Exploited Services: Delivery
No Data Found
Cloud-Native Threats 2023 - Top Exploited Services: Command and Control
No Data Found
Cloud-Native Threats 2023 - Top Exploited Services: Actions on Objective
No Data Found
Cloud-Native Threats 2023 - Top Exploited Services: Data Exfiltration
No Data Found
Cloud-Native Threats 2023 - Top Exploited Services: Cyber Crime
No Data Found
Cloud-Native Threats 2023 - Top Exploited Services: Cyber Espionage
No Data Found
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Geo
Link
Exploited Service
Motivation
For the last few months''
-
APT-C-36 AKA Blind Eagle
Organizations in Colombia
Researchers from Check Point discover a new campaign using a modified version of QuasarRAT against Colombia based organizations.
Malware
Multiple Industries
Cyber Crime
CO
MediaFire
Delivery and Distribution
Since early 2020
Recently'
Vidar
Multiple organizations
Researchers from Sekoia discover a massive campaign using over 1,300 domains to impersonate the official AnyDesk site for pushing the Vidar information-stealing malware.
Malware
Multiple Industries
Cyber Crime
>1
Dropbox, GitHub
Delivery and Distribution
Since at least early December 2022
Early December 2022
?
Organizations in Italy
Researchers from Uptycs discover a new campaign targeting users in Italy, and delivering targeting phishing emails disguised as invoices, designed to deploy an information stealer on compromised Windows systems.
Malware
Multiple Industries
Cyber Crime
IT
Dropbox, GitHub
Delivery and Distribution
Recently'
Recently'
?
Organizations in South Korea
Researchers at Ahnlab discover a campaign distributing the Orcus RAT on file-sharing sites disguised as a cracked version of Hangul Word Processor.
Malware
Multiple Industries
Cyber Crime
KR
Google Docs
Delivery and Distribution
During November 2022
During November 2022
?
Undisclosed retailer
Researchers from IBM X-Force discover a PoS malware using Discord as the command and control infrastructure.
Malware
Wholesal and Retail
Cyber Crime
N/A
Discord
Command and Control
-
-
Earth Boogle
Organizations across the Middle East and North Africa
Researchers from Trend Micro discover an active campaign using Middle Eastern geopolitical-themed lures to distribute NjRAT (also known as Bladabindi) has been spotted infecting victims across the Middle East and North Africa.
Targeted Attack
Multiple Industries
Cyber Espionage
>1
Discord, Microsoft OneDrive
Delivery and Distribution
Since at last September 2022
During September 2022
Roaming Mantis (AKA Shaoye)
Multiple organizations
Researchers from Kaspersky reveal that Roaming Mantis malware distribution campaign has updated Wroba.o/XLoader, its Android malware to include a DNS changer that modifies DNS settings on vulnerable WiFi routers to spread the infection to other devices.
Malware
Multiple Industries
Cyber Crime
>1
Google Docs, YouTube
Command and Control
'Recently'
'Recently'
8220
Multiple organizations
The for-profit Chinese threat group, 8220 Gang, is observed targeting cloud service providers and poorly secured apps. The group was observed using a cryptominer and IRC botnet to churn financial advantage out of public cloud infrastructure.
Misconfigurations
Multiple Industries
Cyber Crime
>1
Pastebin, Git
Delivery and Distribution
Recently'
Recently'
Album stealer
Facebook users
Researchers from Zscaler discover Album stealer, targeting Facebook adult-only content seekers.
Researchers from Blackberry discover new attacks by the Gamaredon group leveraging the popular messaging app Telegram to strike military and law enforcement sectors in the country.
Targeted Attack
Public admin and defence, social security
Cyber Espionage
UA
Telegram
Command and Control
'Recently'
'Recently'
DragonSpark
Organizations in East Asia
Researchers from SentinelOne discover a Chinese-speaking hacking group tracked as ‘DragonSpark’ employing SparkRAT and Golang source code interpretation to evade detection while launching espionage attacks against organizations in East Asia.
Targeted Attack
Multiple Industries
Cyber Espionage
>1
AWS
Delivery and Distribution
Since at least November 2021
During November 2021
GuLoader
e-commerce industry located in South Korea and the United States
Researchers at Trellix discover a GuLoader campaign targeting e-commerce industries located in South Korea and the United States, and distributing the malware via NSIS files.
Malware
Wholesale and retail
Cyber Crime
KR
US
Google Drive
Delivery and Distribution
Since August 2022
-
PY#RATION
Multiple organizations
Researchers from Securonix discover PY#RATION, a new Python-based malware featuring remote access trojan (RAT) capabilities.
Malware
Multiple Industries
Cyber Crime
>1
Google Drive, Dropbox
Delivery and Distribution
Between 06/12/2024 and 27/12/2023
6/12/2022
?
Multiple organizations
Microsoft disables multiple fraudulent, verified Microsoft Partner Network accounts for creating malicious OAuth applications that breached organizations' cloud environments to steal email.
Account Takeover
Multiple Industries
Cyber Crime
>1
Microsoft Office 365 Suite
Actions on Objective
Recently'
Recently'
?
Multiple organizations
Researchers at Fortinet discover a new campaign aimed to cryptojack systems to mine for Monero (XMR) cryptocurrency.
Malware
Multiple Industries
Cyber Crime
>1
Microsoft Onedrive
Delivery and Distribution
Since at least September 2022
During September 2022
?
Online gaming and gambling companies
Researchers at Security Joe discover that unknown attackers have been targeting online gaming and gambling companies with what appears to be a previously unseen backdoor that researchers have named IceBreaker.
Malware
Arts entertainment, recreation
Cyber Crime
N/A
Dropbox
Delivery and Distribution
Since 26/02/2023
30/01/2023
Trexon
Multiple organizations
Researchers from Fortinet discover a new attack in a PyPI package (Python Package Index) called “web3-essential”.
Malware
Multiple Industries
Cyber Crime
>1
Discord
Delivery and Distribution
Between 27/01/2023 and 29/01/2023
-
?
Multiple organizations
Researchers at Fortinet discover five malicious packages on the Python Package Index (PyPI) containing the W4SP Stealer, stealing passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers.
Malware
Multiple Industries
Cyber Crime
>1
Discord
Delivery and Distribution
30/01/2023 and 31/01/2023
30/1/2023
?
Multiple organizations
Researchers from Sentinel One discover a new phishing campaign targeting Amazon Web Services (AWS) logins and abusing Google ads to inject phishing sites into Google Search.
Malvertising
Multiple Industries
Cyber Crime
>1
Blogger
Delivery and Distribution
Since at lest May 2022
Between August 2022 and January 2023
?
Chinese-speaking individuals in Southeast and East Asia
Researchers from ESET discover a campaign targeting Chinese-speaking individuals in Southeast and East Asia via rogue Google Ads that deliver remote access trojans such as FatalRAT to compromised machines.
Malware
Individual
Cyber Crime
CN
HK
ID
JP
MY
MM
PH
SG
TH
TW
Alibaba Cloud
Delivery and Distribution
-
-
WIP26
Telecommunication providers in the Middle East
Researchers at Sentinel One discover a new threat cluster tracked as WIP26 targeting telecommunication providers in the Middle East.
Targeted Attack
Information and Communication
Cyber Espionage
>1
Azure, Dropbox, Google Firebase, Microsoft 365 Mail
Delivery and Distribution
Command and Control
Since January 2022
During January 2022
Earth Yako
Researchers in the academic sector and think tanks
Researchers at Trend Micro discover a new campaign of the Earth Yako group targeting researchers in the academic sector and think tanks in Japan.
Targeted Attack
Education
Cyber Espionage
JP
Dropbox, GitHub
Command and Control
02/12/2022
04/12/2022
?
Activision
Activision confirms that it suffered a data breach in early December 2022 after hackers gained access to the company's internal systems by tricking an employee with an SMS phishing text.
Account Takeover
Arts entertainment, recreation
Cyber Crime
US
Slack
Actions on Objective
27/01/2023
31/01/2023
‘Portugal’ and ‘Brazil’
Multiple organizations
Researcehers from Fortinet discover another 0-day attack in the PyPI packages (Python Package Index) by the malware authors ‘Portugal’ and ‘Brazil’ who published the packages ‘xhttpsp’ and ‘httpssp’.
Malware
Multiple Industries
Cyber Crime
>1
Discord, Telegram
Ex
-
-
?
Government entities
Researchers from Menlo Security uncover an unknown threat actor leveraging an evasive threat campaign distributed via Discord that features the PureCrypter downloader and targeting government entities.
Malware
Public admin and defence, social security
Cyber Crime
N/A
Discord
Delivery and Distribution
25/02/2023
25/02/2023
?
Multiple organizations
Researchers from Sonatype discover an open source malware campaign in which a threat actor is infiltrating the PyPI software registry with thousands of malicious packages.
Malware
Multiple Industries
Cyber Crime
>1
Dropbox
Delivery and Distribution
Between 12/08/2022 and 26/10/2022
-
?
LastPass
LastPass discloses more information on a "coordinated second attack," where a threat actor accessed and stole data from the Amazon AWS cloud storage servers for over two months.
Account Takeover
Professional, scientific and technical
Cyber Crime
US
AWS
Actions on Objective
'Recently'
'Recently'
SCARLETEEL
Undisclosed organization
Researchers from Sysdig discover an advanced hacking operation dubbed 'SCARLETEEL' targeting public-facing web apps running in containers to infiltrate cloud services and steal sensitive data.
Misconfiguration
Unknown
Cyber Crime
N/A
AWS
Actions on Objective
-
-
?
Targets in the hospitality sector
Researchers from Trend Micro discover a campaign targeting the hospitality sector and using Dropbox to release the malicious file.
Malware
Accommodation and food service
Cyber Crime
>1
Dropbox
Delivery and Distribution
Since January 2023
'Recently'
Mustang Panda
Government and political organizations in Europe and Asia, focusing on Taiwan and Ukraine.
Researchers from ESET reveal that the Chinese cyber espionage hacking group Mustang Panda was seen deploying a new custom backdoor named 'MQsTTang' in attacks starting this year.
Targeted Attack
Public admin and defence, social security
Cyber Espionage
TW
UA
GitHub
Delivery and Distribution
-
-
?
Eastern European institutions and businesses
Researchers from SentinelOne discover phishing campaigns that distribute the Remcos RAT using the DBatLoader malware loader to target predominantly Eastern European institutions and businesses.
Malware
Multiple Industries
Cyber Crime
>1
Microsoft OneDrive, Google Drive
Delivery and Distribution
-
-
Exotic Lily, aka PROJECTOR LIBRA and TA580
Multiple organizations
Researchers from ReliaQuest discover a new campaign by the Initial Access Broker Exotic Lily.
Malware
Multiple Industries
Cyber Crime
>1
Microsoft OneDrive, WeTransfer
Delivery and Distribution
Since November 2022
Since November 2022
?
Multiple organizations
Researchers from CloudSEK reveal that threat actors have been increasingly observed using AI-generated YouTube Videos to spread a variety of stealer malware such as Raccoon, RedLine, and Vidar.
Malware
Multiple Industries
Cyber Crime
>1
YouTube
Delivery And Distribution
-
-
?
Multiple organizations
Researchers from Avast reveal that cybercriminals are abusing Adobe Acrobat Sign, an online document signing service, to distribute the redline info-stealing malware to unsuspecting users.
Malware
Multiple Industries
Cyber Crime
>1
Adobe Acrobat Sign
Delivery and Distribution
Since early March 2023
During March 2023
Ursnif
Italian Taxpayers
The Italian taxpayers are the targets of a campaign distributing the Ursnif malware via fake notificastions from the Italian Revenue Agency (Agenzia delle Entrate).
Malware
Individual
Cyber Crime
IT
Google Firebase
Delivery and Distribution
Since at least September 2021
During October 2022
Bad Magic (State-sponsored threat actor)
Government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions
Researchers fron Kaspersky discover a campaign targeting government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions via a previously unseen malicious framework called CommonMagic and a new backdoor called PowerMagic.
Targeted Attack
Multiple Industries
Cyber Espionage
UA
Dropbox, OneDrive
Command and Control
'Recently'
'Recently'
?
Municipal government organization
InQuest Labs analysts detect a phishing attack discovered by a municipal government organization, hosting the phishing pages on Raven and Microsoft Azure.
Account Takeover
Public admin and defence, social security
Cyber Crime
N/A
Microsoft Azure, Raven
Delivery and Distribution
-
-
?
At least 1600 individuals across Europe, the US and other countries
Researchers from Kasepersky discover a novel phishing scam relying on legitimate servers from Microsoft’s collaborative platform SharePoint, targeting at least 1600 individuals across Europe, the US and other countries using a native notification mechanism.
Account Takeover
Individual
Cyber Crime
>1
Microsoft SharePoint
Delivery and Distributon
Between 02/01/2022 and 10/01/2022
During January 2022
?
University of the People (UoPeople)
The University of the People (UoPeople) files a notice of data breach after learning that an unauthorized party was able to access confidential information stored on the school’s SharePoint platform.
Unknown
Education
Cyber Crime
US
Microsoft SharePoint
Actions on Objective
-
-
?
Individuals
Researchers from Uptycs discover a new info-stealing malware named MacStealer, targeting Mac users, stealing their credentials stored in the iCloud KeyChain and web browsers, cryptocurrency wallets, and potentially sensitive files.
Malware
Individual
Cyber Crime
>1
Telegram
Command and Control
22/12/2022
22/12/2022
?
Nonstop Administration and Insurance Services (NAIS)
Nonstop Administration and Insurance Services (NAIS) announces that the protected health information of employees of its clients has been exposed to an unknown party, who claimed to have accessed company data.
Account Takeover
Administration and support service
Cyber Crime
US
Unknown
Actions on Objective
-
-
North Korean state-backed hacking group? (Labyrinth Collima AKA Lazarus Group, Covellite, UNC4034, Zinc, Nickel Academy)
Multiple organizations
A digitally signed and trojanized version of the 3CX Voice Over Internet Protocol (VOIP) desktop client is reportedly being used to target the company’s customers in an ongoing supply chain attack.
Targeted Attack
Multiple Industries
Cyber Espionage
>1
GitHub
Delivery and Distribution
-
-
?
Multiple organizations
Researchers from Sentinel One reveal the details of 'AlienFox', a new modular toolkit allowing threat actors to scan for misconfigured servers to steal authentication secrets and credentials for cloud-based email services.
Misconfiguration
Multiple Industries
Cyber Crime
>1
>1
Actions on Objective
During October 2022
During October 2022
APT41 AKA HOODOO
Taiwanese media organization
Researchers from Google discover a campaign carried out by the Chinese Threat Actor APT41 targeting a Taiwanese media organization.
Malware
Information and Communication
Cyber Espionage
TW
Google Drive
Delivery and Distribution
During Q4 2022
During Q4 2022
Ursnif
Multiple organizations
Researchers from Google’s Mandiant observed a campaign distributing the URSNIF banking trojan from Google Drive
Malware
Multiple Industries
Cyber Crime
>1
Google Drive
Delivery and Distribution
During Q4 2022
During Q4 2022
Diceloader
Multiple organizations
Researchers from Google’s Mandiant observed a campaign distributing the DICELOADER malware from Google Drive
Malware
Multiple Industries
Cyber Crime
>1
Google Drive
Delivery and Distribution
Since at least 17/03/2023
17/03/2023
?
Taxpayers in the U.S.
eFile.com, an IRS-authorized e-file software service provider used by many for filing their tax returns, has been caught serving JavaScript malware.
Malicious Script Injection
Individual
Cyber Crime
US
AWS
Delivery and Distribution
Since at least 03/04/2023
03/04/2023
?
YouTube users
YouTube warns users of a new phishing scam that has been using authentic email addresses to lure users into giving away their login credentials.
Account Takeover
Individual
Cyber Crime
>1
Google Drive
Delivery and Distribution
During Late 2022
During Late 2022
ARCHIPELAGO
Government and military personnel, think thanks, policy makers, academics, and researchers in South Korea, and the U.S.
Researchers from Google warn of the North Korea-linked ARCHIPELAGO (subset of the APT43 group) targeting government and military personnel, think tanks, policy makers, academics, and researchers in South Korea, the US and elsewhere.
Targeted Attack
Individual
Cyber Espionage
KR
US
Microsoft OneDrive
Delivery and Distribution
-
-
?
Taxpayers in the U.S.
Researchers from Avanan discover a series of campaign exploiting Quickbooks to harvest credentials.
Account Takeover
Individual
Cyber Crime
US
Quickbooks
Delivery and Distribution
-
-
MuddyWater (AKA MERCURY, Mango Sandstorm, Seedworm, and Static Kitten) and DEV-1084 (AKA Storm-1084)
Multiple organizations
Researchers from Microsoft reveal that Iranian advanced persistent threat (APT) actors MuddyWater and DEV-1084 have been observed launching destructive cyberattacks disguised as ransomware against on-prem and cloud infrastructures.
Multiple vulnerabilities
Multiple Industries
Cyber Crime
>1
Microsoft Azure
Actions on Objective
Since November 2022
Since November 2022
FusionCore
Multiple organizations
Researchers from Cyfirma discover a new cybercrime group, dubbed FusionCore, specialized in offering Malware-as-a-Service (MaaS) and other hacking services.
Malware
Multiple Industries
Cyber Crime
>1
Telegram
Command and Control
During March 2023
During March 2023
?
Multiple organizations in Spain
Researchers from Sonatype discover reverse-shell, a PyPI package malware-as-a-service for the Spanish market.
Malware
Multiple Industries
Cyber Crime
ES
GitHub
Delivery and Distribution
From 14/09/2022 to 08/11/2022
09/11/2022
?
Two Rivers Public Health Department
Two Rivers Public Health Department confirms that the protected health information of 15,168 patients was stored in an employee Office365 account that was accessed by an unauthorized third party.
Account Takeover
Public admin and defence, social security
Cyber Crime
US
Microsoft Outlook
Actions on Objective
-
-
?
Multiple organizations
Researchers from Uptycs identify a new variant of credential stealing malware, dubbed Zaraza (Russian word for infection), using Telegram as its command and control and targeting a large number of web browsers.
Malware
Multiple Industries
Cyber Crime
>1
Telegram
Command and Control
Since the Summer 2022
Since the Summer 2022
?
Senior individuals
Researchers from Malwarebytes detect a specific malvertising campaign via Google ads aimed at seniors, where the actor creates hundreds of fake websites via the Weebly platform to host decoy content to fool search engines and crawlers while redirecting victims to a fake computer alert.
Scam
Individual
Cyber Crime
>1
Weebly
Delivery and Distribution
-
-
RedLine Stealer
Multiple organizations
Researchers from ESET, temporarily disrupt the operations of the RedLine Stealer with the help of GitHub, used as a dead drop resolver.
Malware
Multiple Industries
Cyber Crime
>1
GitHub
Command and Control
During March 2023
During March 2023
APT-C-36 AKA Blind Eagle
Multiple organizations
Researchers from ThreatMon discover a new campaign by the cyber espionage actor tracked as Blind Eagle using a new multi-stage attack chain that leads to the deployment of the NjRAT remote access trojan on compromised systems.
Targeted Attack
Multiple Industries
Cyber Espionage
EC
ES
CL
CO
Discord
Delivery and Distribution
During fall of 2022
During fall of 2022
MuddyWater (AKA MERCURY, Mango Sandstorm, Seedworm, and Static Kitten) and DEV-1084 (AKA Storm-1084)
Multiple organizations
Researchers from Group-IB discover a new campaign by the Iranian government-sponsored threat actor known as MuddyWater, using the legitimate SimpleHelp remote support software tool to achieve persistence on victim devices.
Targeted Attack
Multiple Industries
Cyber Espionage
>1
Dropbox, OneDrive, OneHub
Delivery and Distribution
Since at least March 2023
During March 2023
Lazarus Group AKA Labyrinth Collima, Covellite, UNC4034, Zinc, Nickel Academy)
People working in software or DeFi platforms
Researchers from ESET discover a new Lazarus campaign considered part of "Operation DreamJob" (AKA Nukesped), targeting Linux users with malware for the first time.
Targeted Attack
Professional, scientific and technical
Cyber Espionage
>1
OpenDrive
Delivery and Distribution
'Recently'
'Recently'
DoNot APT
Individual residing in Kashmir
Researchers from Cyfirma discover a new campaign by the DoNot APT group targeting Individual residing in Kashmir via two malware strains delivered via fake WhatsApp applications.
Targeted Attack
Individual
Cyber Espionage
IN
Google Firebase
Command and Control
Since 2022
'Recently'
AresLoader
Multiple organizations using Citrix
Researchers from Cyble discover a new loader called AresLoader that has been used to spread several types of malware families.
Malware
Multiple Industries
Cyber Crime
>1
GitLab
Delivery and Distribution
During 2022
During 2022
ScarCruft APT group (aka APT37, Reaper, and Group123)
Korean-speaking individuals
Researchers from Check Point reveal the details of a new campaign by the Korea-linked ScarCruft APT group (aka APT37, Reaper, and Group123) delivering the ROKRAT and Amadey payloads.
Targeted Attack
Individual
Cyber Espionage
KR
Dropbox, pCloud, Yandex Cloud, and OneDrive
Command and Control
SInce late January 2023
Late January 2023
Threat actors from Vietnam
Individuals
Researchers from Facebook discover a new information-stealing malware distributed on Meta called 'NodeStealer,' allowing threat actors to steal browser cookies to hijack accounts on the platform, as well as Gmail and Outlook accounts.
Malware
Individual
Cyber Crime
>1
Facebook
Delivery and Distribution
-
-
DuckTail
Individuals
Researchers from Meta discover a new version of the DuckTail malware exploiting multiple cloud services to host the malicious payload.
Malware
Individual
Cyber Crime
>1
Discord, Dropbox, Google Drive, iCloud, MediaFire, Mega, Microsoft OneDrive, Trello
Delivery and Distribution
-
-
Kimsuky
Think tanks, research universities, and government entities in the United States, Europe, and Asia
Researchers from Sentinel Labs reveal that the North Korean group Kimsuky has been observed employing a new version of its reconnaissance malware, now called 'ReconShark,' in an ongoing cyberespionage campaign with a global reach.
Targeted Attack
Multiple Industries
Cyber Espionage
>1
Microsoft OneDrive
Delivery and Distribution
08/05/2023
08/05/2023
BlackBasta?
Dragos
Industrial cybersecurity company Dragos discloses what it describes as a "cybersecurity event" after a known cybercrime gang attempted to breach its defenses and infiltrate the internal network to encrypt devices.
Account Takeover
Professional, scientific and technical
Cyber Crime
US
Microsoft SharePoint
Actions on Objective
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Geo
Link
Exploited Service
Motivation
Enjoy the interactive timeline, and thanks for sharing it, and supporting my work in spreading the risk awareness across the community. Also, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, or Mastodon for the latest updates.
This blog post lists the main cloud-native threats, that is those cyber events exploiting the cloud in one or more stage of the kill chain. I have collected…
I am starting a new project to track cloud-native threats, similarly to what I have done in 2020, with an interactive timeline. As soon as I collect more data I will start to generate some statistics.
Among the various things that I have done in 2020, there is the collection of the main cyber attacks that have exploited cloud services in the kill chain. I have built…