Tag: aws

9 Attack Reports | 0 Vulnerabilities

Attack reports

Eggs in a Cloudy Basket: Skeleton Spider's Trusted Cloud Malware Delivery

Skeleton Spider, also known as FIN6, is a financially motivated cybercrime group that has evolved from POS breaches to broader enterprise threats. They employ social engineering tactics, posing as job seekers on platforms like LinkedIn to deliver phishing messages. Their preferred payload is more_e…
backdoor
phishing
social engineering
aws
evasion techniques
more_eggs
2025-06-11
cloud infrastructure
resume lures
skeleton spider
Published: June 11, 2025
Downloadable IOCs: 24

Tales from the cloud trenches: The Attacker doth persist too much, methinks

A leaked AWS access key led to malicious activities over a 150-minute period, involving five distinct IP addresses. The attackers employed both common and innovative tactics, including creating 'persistence-as-a-service' infrastructure, manipulating AWS Identity Center, and disabling organization-l…
persistence
aws
telegram
2025-05-13
cloud-security
api-gateway
identity-center
iam
lambda
Published: May 13, 2025
Downloadable IOCs: 5

Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603)

A critical code execution vulnerability, CVE-2024-50603, affecting Aviatrix Controller has been observed being exploited in the wild. This unauthenticated remote code execution flaw allows attackers to execute arbitrary commands on the system, potentially leading to privilege escalation in AWS envi…
backdoor
xmrig
sliver
cloud security
cryptojacking
privilege escalation
aws
rce
CVE-2024-50603
2025-01-13
aviatrix controller
Published: January 13, 2025
Linked vulnerabilities : CVE-2024-50603 (CVSS 10.0), CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0), CVE-2021-40870
Downloadable IOCs: 6

Attacker Abuses Victim Resources to Reap Rewards from Titan Network

An attacker exploited the Atlassian Confluence vulnerability CVE-2023-22527 to achieve remote code execution for cryptomining via the Titan Network. The malicious actor gathered system details using public IP lookup services and various commands. Multiple shell scripts were downloaded and executed …
cryptomining
aws
ssh
remote code execution
CVE-2023-22527
atlassian confluence
2024-11-04
titan network
cassini testnet
aleo-pool
Published: November 4, 2024
Linked vulnerabilities : CVE-2023-22527
Downloadable IOCs: 1

Malicious RDP Files Identified in Latest Attack on Ukrainian Entities

CERT-UA has uncovered a new malicious email campaign targeting Ukrainian government agencies, enterprises, and military entities. The campaign uses RDP configuration files to establish remote connections, enabling data theft and further malware deployment. Attributed to UAC-0215 and linked to APT29…
phishing
apt28
ukraine
rdp
aws
2024-10-26
uac-0218
uac-0215
domain seizure
homesteel
cert-ua
Published: October 26, 2024
Downloadable IOCs: 0

Fake LockBit Real Damage Ransomware Samples Abuse AWS S3 to Steal Data

This report discusses malicious Golang ransomware samples that exploit Amazon S3's Transfer Acceleration feature to exfiltrate victims' data and upload it to attacker-controlled S3 buckets. The samples contained hard-coded AWS credentials linked to compromised accounts, allowing the researchers to …
ransomware
golang
aws
data-exfiltration
2024-10-17
lockbit-imitation
Published: October 17, 2024
Downloadable IOCs: 39

New Android Spyware Campaign Targets South Koreans via AWS

A sophisticated Android spyware campaign targeting South Koreans has been uncovered by Cyble Research and Intelligence Labs. Active since June 2024, the malware exploits an Amazon AWS S3 bucket as its Command and Control server to exfiltrate sensitive personal data including SMS messages, contacts,…
android
spyware
south korea
cloud security
data exfiltration
aws
mobile malware
2024-10-01
stealth techniques
Published: October 1, 2024
Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2021-44228, CVE-2017-11882, CVE-2024-21893
Downloadable IOCs: 7

Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments

Unit 42 researchers uncovered an extortion campaign that compromised and extorted multiple victim organizations by leveraging exposed environment variable files containing sensitive credentials. The campaign involved setting up attack infrastructure within victims' Amazon Web Services (AWS) environ…
extortion
cloud
credentials
aws
2024-08-16
scanning
automation
compromised
Published: August 16, 2024
Linked vulnerabilities : CVE-2024-6387 (CVSS 8.1), CVE-2024-3094
Downloadable IOCs: 37

Malicious npm package targets AWS users

ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
backdoor
supply-chain
2024-06-27
npm
aws
Published: June 27, 2024
Downloadable IOCs: 3
Click here to see more Attack Reports