Cloud-Native Threats in 2023

Last modified: March 25, 2023

Similarly to what I have done in 2022, 2021, and 2020, I am listing those cyber attacks, whose information is available via OSINT, which exploited the cloud in one or more stages of the attack chain.

The campaigns are classified in four categories: Delivery and Exploitation (the cloud service is exploited to deliver a malware strain or a phishing page), Actions on Objective (the cloud service is exploited to steal data, or launch other attacks), Command and Control (the cloud service is exploited as a command and control infrastructure), and Data Exfiltration (the cloud service is used as a drop zone for the exfiltrated data).

Below you will find some statistics and a table with detailed information on the attacks.

Cloud-Native Threats 2023 - Top Exploited Cloud Services

Cloud-Native Threats 2023 - Top Exploitation Purposes

Cloud-Native Threats 2023 - Motivations

Cloud-Native Threats 2023 - Top Exploited Services: Delivery

Cloud-Native Threats 2023 - Top Exploited Services: Command and Control

Cloud-Native Threats 2023 - Top Exploited Services: Actions on Objective

Cloud-Native Threats 2023 - Top Exploited Services: Data Exfiltration

Cloud-Native Threats 2023 - Top Exploited Services: Cyber Crime

Cloud-Native Threats 2023 - Top Exploited Services: Cyber Espionage

Date Reported	Date Occurred	Date Discovered	Author	Target	Description	Attack	Target Class	Attack Class	Geo	Link	Exploited Service	Motivation
05/01/2023	For the last few months''	-	APT-C-36 AKA Blind Eagle	Organizations in Colombia	Researchers from Check Point discover a new campaign using a modified version of QuasarRAT against Colombia based organizations.	Malware	Multiple Industries	Cyber Crime	CO		Mediafire	Delivery and Distribution
06/01/2023	Since early 2020	Recently'	Vidar	Multiple organizations	Researchers from Sekoia discover a massive campaign using over 1,300 domains to impersonate the official AnyDesk site for pushing the Vidar information-stealing malware.	Malware	Multiple Industries	Cyber Crime	>1		Dropbox, GitHub	Delivery and Distribution
06/01/2023	Since at least early December 2022	Early December 2022	?	Organizations in Italy	Researchers from Uptycs discover a new campaign targeting users in Italy, and delivering targeting phishing emails disguised as invoices, designed to deploy an information stealer on compromised Windows systems.	Malware	Multiple Industries	Cyber Crime	IT		Dropbox, GitHub	Delivery and Distribution
13/01/2022	Recently'	Recently'	?	Organizations in South Korea	Researchers at Ahnlab discover a campaign distributing the Orcus RAT on file-sharing sites disguised as a cracked version of Hangul Word Processor.	Malware	Multiple Industries	Cyber Crime	KR		Google Docs	Delivery and Distribution
17/01/2023	During November 2022	During November 2022	?	Undisclosed retailer	Researchers from IBM X-Force discover a PoS malware using Discord as the command and control infrastructure.	Malware	Wholesal and Retail	Cyber Crime	N/A		Discord	Command and Control
17/01/2023	-	-	Earth Boogle	Organizations across the Middle East and North Africa	Researchers from Trend Micro discover an active campaign using Middle Eastern geopolitical-themed lures to distribute NjRAT (also known as Bladabindi) has been spotted infecting victims across the Middle East and North Africa.	Targeted Attack	Multiple Industries	Cyber Espionage	>1		Discord, Microsoft OneDrive	Delivery and Distribution
19/01/2023	Since at last September 2022	During September 2022	Roaming Mantis (AKA Shaoye)	Multiple organizations	Researchers from Kaspersky reveal that Roaming Mantis malware distribution campaign has updated Wroba.o/XLoader, its Android malware to include a DNS changer that modifies DNS settings on vulnerable WiFi routers to spread the infection to other devices.	Malware	Multiple Industries	Cyber Crime	>1		Google Docs, YouTube	Command and Control
19/01/2023	'Recently'	'Recently'	8220	Multiple organizations	The for-profit Chinese threat group, 8220 Gang, is observed targeting cloud service providers and poorly secured apps. The group was observed using a cryptominer and IRC botnet to churn financial advantage out of public cloud infrastructure.	Misconfigurations	Multiple Industries	Cyber Crime	>1		Pastebin, Git	Delivery and Distribution
20/01/2023	Recently'	Recently'	Album stealer	Facebook users	Researchers from Zscaler discover Album stealer, targeting Facebook adult-only content seekers.	Malware	Individual	Cyber Crime	>1		Microsoft Onedrive	Delivery and Distribution
20/01/2023	Since February 2022	Since February 2022	Gamaredon (AKA Shuckworm, Actinium, Armageddon, Primitive Bear, UAC-0010, and Trident Ursa)	Military and law enforcement sectors in Ukraine	Researchers from Blackberry discover new attacks by the Gamaredon group leveraging the popular messaging app Telegram to strike military and law enforcement sectors in the country.	Targeted Attack	Public admin and defence, social security	Cyber Espionage	UA		Telegram	Command and Control
24/01/2023	'Recently'	'Recently'	DragonSpark	Organizations in East Asia	Researchers from SentinelOne discover a Chinese-speaking hacking group tracked as ‘DragonSpark’ employing SparkRAT and Golang source code interpretation to evade detection while launching espionage attacks against organizations in East Asia.	Targeted Attack	Multiple Industries	Cyber Espionage	>1		AWS	Delivery and Distribution
24/01/2023	Since at least November 2021	During November 2021	GuLoader	e-commerce industry located in South Korea and the United States	Researchers at Trellix discover a GuLoader campaign targeting e-commerce industries located in South Korea and the United States, and distributing the malware via NSIS files.	Malware	Wholesale and retail	Cyber Crime	KR US		Google Drive	Delivery and Distribution
25/01/2023	Since August 2022	-	PY#RATION	Multiple organizations	Researchers from Securonix discover PY#RATION, a new Python-based malware featuring remote access trojan (RAT) capabilities.	Malware	Multiple Industries	Cyber Crime	>1		Google Drive, Dropbox	Delivery and Distribution
31/01/2023	Between 06/12/2024 and 27/12/2023	6/12/2022	?	Multiple organizations	Microsoft disables multiple fraudulent, verified Microsoft Partner Network accounts for creating malicious OAuth applications that breached organizations' cloud environments to steal email.	Account Takeover	Multiple Industries	Cyber Crime	>1		Microsoft Office 365 Suite	Actions on Objective
31/01/2023	Recently'	Recently'	?	Multiple organizations	Researchers at Fortinet discover a new campaign aimed to cryptojack systems to mine for Monero (XMR) cryptocurrency.	Malware	Multiple Industries	Cyber Crime	>1		Microsoft Onedrive	Delivery and Distribution
01/02/2023	Since at least September 2022	During September 2022	?	Online gaming and gambling companies	Researchers at Security Joe discover that unknown attackers have been targeting online gaming and gambling companies with what appears to be a previously unseen backdoor that researchers have named IceBreaker.	Malware	Arts entertainment, recreation	Cyber Crime	N/A		Dropbox	Delivery and Distribution
02/02/2023	Since 26/02/2023	30/01/2023	Trexon	Multiple organizations	Researchers from Fortinet discover a new attack in a PyPI package (Python Package Index) called “web3-essential”.	Malware	Multiple Industries	Cyber Crime	>1		Discord	Delivery and Distribution
08/02/2023	Between 27/01/2023 and 29/01/2023	-	?	Multiple organizations	Researchers at Fortinet discover five malicious packages on the Python Package Index (PyPI) containing the W4SP Stealer, stealing passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers.	Malware	Multiple Industries	Cyber Crime	>1		Discord	Delivery and Distribution
09/02/2023	30/01/2023 and 31/01/2023	30/1/2023	?	Multiple organizations	Researchers from Sentinel One discover a new phishing campaign targeting Amazon Web Services (AWS) logins and abusing Google ads to inject phishing sites into Google Search.	Malvertising	Multiple Industries	Cyber Crime	>1		Blogger	Delivery and Distribution
16/02/2023	Since at lest May 2022	Between August 2022 and January 2023	?	Chinese-speaking individuals in Southeast and East Asia	Researchers from ESET discover a campaign targeting Chinese-speaking individuals in Southeast and East Asia via rogue Google Ads that deliver remote access trojans such as FatalRAT to compromised machines.	Malware	Individual	Cyber Crime	CN HK ID JP MY MM PH SG TH TW		Alibaba Cloud	Delivery and Distribution
16/02/2023	-	-	WIP26	Telecommunication providers in the Middle East	Researchers at Sentinel One discover a new threat cluster tracked as WIP26 targeting telecommunication providers in the Middle East.	Targeted Attack	Information and Communication	Cyber Espionage	>1		Azure, Dropbox, Google Firebase, Microsoft 365 Mail	Delivery and Distribution Command and Control
16/02/2023	Since January 2022	During January 2022	Earth Yako	Researchers in the academic sector and think tanks	Researchers at Trend Micro discover a new campaign of the Earth Yako group targeting researchers in the academic sector and think tanks in Japan.	Targeted Attack	Education	Cyber Espionage	JP		Dropbox, GitHub	Command and Control
20/02/2023	02/12/2022	04/12/2022	?	Activision	Activision confirms that it suffered a data breach in early December 2022 after hackers gained access to the company's internal systems by tricking an employee with an SMS phishing text.	Account Takeover	Arts entertainment, recreation	Cyber Crime	US		Slack	Actions on Objective
20/02/2023	27/01/2023	31/01/2023	‘Portugal’ and ‘Brazil’	Multiple organizations	Researcehers from Fortinet discover another 0-day attack in the PyPI packages (Python Package Index) by the malware authors ‘Portugal’ and ‘Brazil’ who published the packages ‘xhttpsp’ and ‘httpssp’.	Malware	Multiple Industries	Cyber Crime	>1		Discord, Telegram	Ex
23/02/2023	-	-	?	Government entities	Researchers from Menlo Security uncover an unknown threat actor leveraging an evasive threat campaign distributed via Discord that features the PureCrypter downloader and targeting government entities.	Malware	Public admin and defence, social security	Cyber Crime	N/A		Discord	Delivery and Distribution
26/02/2023	25/02/2023	25/02/2023	?	Multiple organizations	Researchers from Sonatype discover an open source malware campaign in which a threat actor is infiltrating the PyPI software registry with thousands of malicious packages.	Malware	Multiple Industries	Cyber Crime	>1		Dropbox	Delivery and Distribution
27/02/2023	Between 12/08/2022 and 26/10/2022	-	?	LastPass	LastPass discloses more information on a "coordinated second attack," where a threat actor accessed and stole data from the Amazon AWS cloud storage servers for over two months.	Account Takeover	Professional, scientific and technical	Cyber Crime	US		AWS	Actions on Objective
28/02/2023	'Recently'	'Recently'	SCARLETEEL	Undisclosed organization	Researchers from Sysdig discover an advanced hacking operation dubbed 'SCARLETEEL' targeting public-facing web apps running in containers to infiltrate cloud services and steal sensitive data.	Misconfiguration	Unknown	Cyber Crime	N/A		AWS	Actions on Objective
02/03/2023	Since January 2023	'Recently'	Mustang Panda	Government and political organizations in Europe and Asia, focusing on Taiwan and Ukraine.	Researchers from ESET reveal that the Chinese cyber espionage hacking group Mustang Panda was seen deploying a new custom backdoor named 'MQsTTang' in attacks starting this year.	Targeted Attack	Public admin and defence, social security	Cyber Espionage	TW UA		GitHub	Delivery and Distribution
06/03/2023	-	-	?	Eastern European institutions and businesses	Researchers from SentinelOne discover phishing campaigns that distribute the Remcos RAT using the DBatLoader malware loader to target predominantly Eastern European institutions and businesses.	Malware	Multiple Industries	Cyber Crime	>1		Microsoft OneDrive, Google Drive	Delivery and Distribution
15/03/2023	-	-	?	Multiple organizations	Researchers from Avast reveal that cybercriminals are abusing Adobe Acrobat Sign, an online document signing service, to distribute the redline info-stealing malware to unsuspecting users.	Malware	Multiple Industries	Cyber Crime	>1		Adobe Acrobat Sign	Delivery and Distribution
Date Reported	Date Occurred	Date Discovered	Author	Target	Description	Attack	Target Class	Attack Class	Geo	Link	Exploited Service	Motivation

Enjoy the interactive timeline, and thanks for sharing it, and supporting my work in spreading the risk awareness across the community. Also, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, or Mastodon for the latest updates.

SUPPORT MY WORK!

2022 Cyber Attacks Statistics
And finally I have aggregated all the data collected in 2022 from the cyber attacks timelines. In the past year I have collected 3074 events...
Leaky Buckets in 2022
Similarly to what I have done in 2021, I am now collecting the incidents due to cloud misconfigurations and leading to the exposure of data.
The Biggest Data Breaches of 2021
With this new project I am going to track the biggest data breaches of 2021 extracted from my cyber attack timelines.
2020 Cyber Attacks Statistics
As promised, I have pulled together some statistics from the data collected in 2020. The master table is available at the end of the post after the charts.
Cloud-Native Threats in 2021
I am starting a new project to track cloud-native threats, similarly to what I have done in 2020, with an interactive timeline. As soon as I collect more data I will start to generate some statistics.