Tag: cloud security

14 Attack Reports | 0 Vulnerabilities

Attack reports

Supply Chain Attack: Malicious PyPI Packages

TeamPCP has launched a supply chain attack targeting LiteLLM, an open-source Python library used in 36% of cloud environments. Malicious versions 1.82.7 and 1.82.8 were published on PyPI, employing sophisticated techniques for payload delivery and persistence. The compromised packages exploit Pytho…
cloud security
pypi
supply chain attack
2026-03-25
litellm
Published: March 25, 2026
Downloadable IOCs: 1

2025 Cloud Threat Hunting and Defense Landscape

The report outlines key cloud security threats for 2025, highlighting exploitation of misconfigurations, cloud abuse, ransomware, credential theft, and third-party risks. Threat actors are increasingly leveraging legitimate cloud services for malicious purposes, including using AI/ML capabilities. …
ransomware
cloud security
acr stealer
threat landscape
credential abuse
fatalrat
lamehug
2026-02-19
ai/ml exploitation
cloud-native attacks
misconfigurations
saltwater
seaside
seaspy
third-party risk
Published: February 19, 2026
Linked vulnerabilities : CVE-2025-0282 (CVSS 9.0), CVE-2024-3400, CVE-2021-26855, CVE-2023-3519, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065, CVE-2025-61882 (CVSS 9.8), CVE-2021-43798, CVE-2023-2868, CVE-2023-7102
Downloadable IOCs: 3

Uncovering Malicious OAuth Campaigns in Entra ID

This analysis reveals the growing threat of malicious OAuth applications in Microsoft Entra ID, which attackers use for persistence and privilege escalation. The report details how these apps blend in with legitimate integrations, making detection challenging. It describes the creation of OAuth App…
phishing
cloud security
oauth
application impersonation
2026-02-19
consent abuse
entra id
identity security
Published: February 19, 2026
Downloadable IOCs: 2

AI-assisted cloud intrusion achieves admin access in 8 minutes

An AWS environment was targeted in a sophisticated attack, with the threat actor gaining administrative privileges in under 10 minutes. The operation showed signs of leveraging large language models for automation and decision-making. Initial access was obtained through credentials found in public …
lateral movement
cloud security
privilege escalation
aws
2026-02-04
ai-assisted attack
gpu abuse
lambda injection
llmjacking
Published: February 4, 2026
Downloadable IOCs: 4

Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited

A zero-day vulnerability in Gogs, a popular self-hosted Git service, has been discovered and is being actively exploited. The flaw, identified as CVE-2025-8110, is a symlink bypass of a previously patched RCE vulnerability. It allows authenticated users to overwrite files outside the repository, le…
vulnerability
zero-day
cloud security
supershell
rce
CVE-2024-55947
2025-12-10
CVE-2025-8110
git service
gogs
symlink bypass
Published: December 10, 2025
Linked vulnerabilities : CVE-2024-54148 (CVSS 9.8), CVE-2024-55947, CVE-2023-46747, CVE-2024-56731 (CVSS 10.0), CVE-2025-55182 (CVSS 10.0), CVE-2025-8110 (CVSS 8.7)
Downloadable IOCs: 0

From Compromised Keys to Phishing Campaigns: Inside a Cloud Email Service Takeover

An AWS access key compromise led to a sophisticated SES abuse campaign in May 2025. The attacker exploited the stolen key to bypass SES restrictions, verify new sender identities, and conduct a large-scale phishing operation. They used multi-regional PutAccountDetails requests to escape the SES san…
phishing
cloud security
aws
sandbox escape
2025-09-04
email service
Published: September 4, 2025
Downloadable IOCs: 4

Google Salesforce Breach: A Deep dive into the chain and extent of the compromise

In June 2025, Google's Salesforce instance was breached by UNC6040 & UNC6240 using vishing, OAuth app abuse, and anonymity layers. The attackers stole business data of small and medium-sized clients. A parallel attack by UNC6395 compromised Salesloft Drift's Salesforce integration, affecting hundre…
social engineering
vishing
cloud security
data exfiltration
tor
oauth
2025-09-03
salesforce
saas security
Published: September 3, 2025
Downloadable IOCs: 19

Serverless Tokens in the Cloud: Exploitation and Detections

This article explores the security implications of serverless authentication across major cloud platforms. It details how attackers target serverless functions to exploit vulnerabilities arising from insecure code and misconfigurations. The mechanics of serverless authentication are explained for A…
cloud security
authentication
rce
2025-06-13
ssrf
google cloud functions
token exfiltration
aws lambda
azure functions
serverless
Published: June 13, 2025
Downloadable IOCs: 0

Tales from the cloud trenches: The Attacker doth persist too much, methinks

A leaked AWS access key led to malicious activities over a 150-minute period, involving five distinct IP addresses. The attackers employed both common and innovative tactics, including creating 'persistence-as-a-service' infrastructure, manipulating AWS Identity Center, and disabling organization-l…
persistence
aws
telegram
2025-05-13
cloud-security
api-gateway
identity-center
iam
lambda
Published: May 13, 2025
Downloadable IOCs: 5

Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603)

A critical code execution vulnerability, CVE-2024-50603, affecting Aviatrix Controller has been observed being exploited in the wild. This unauthenticated remote code execution flaw allows attackers to execute arbitrary commands on the system, potentially leading to privilege escalation in AWS envi…
backdoor
xmrig
sliver
cloud security
cryptojacking
privilege escalation
aws
rce
CVE-2024-50603
2025-01-13
aviatrix controller
Published: January 13, 2025
Linked vulnerabilities : CVE-2024-50603 (CVSS 10.0), CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0), CVE-2021-40870
Downloadable IOCs: 6

A Deep Dive into TeamTNT and Spinning YARN

TeamTNT is conducting a crypto mining campaign called Spinning YARN, targeting Docker, Redis, YARN, and Confluence. The attack involves server-side scripting vulnerabilities, obfuscated code, and malware deployment. The malware assesses the environment, disables cloud security, establishes persiste…
linux
obfuscation
xmrig
cloud security
docker
yarn
spinning yarn
confluence
2024-12-18
crypto mining
redis
platypus
Published: December 18, 2024
Downloadable IOCs: 35

The State of Cloud Ransomware in 2024

Cloud ransomware attacks are evolving, primarily targeting storage services like Amazon S3 and Azure Blob Storage. Attackers exploit misconfigurations or use stolen credentials to access and encrypt data. Cloud service providers have implemented security measures, such as AWS's 7-day key deletion w…
lockbit
bianlian
cloud security
data exfiltration
rhysida
2024-11-14
CVE-2023-34362
cspm
cloud ransomware
pandora
s3 buckets
ransomes
web application attacks
identity management
kms
Published: November 14, 2024
Downloadable IOCs: 0

New Android Spyware Campaign Targets South Koreans via AWS

A sophisticated Android spyware campaign targeting South Koreans has been uncovered by Cyble Research and Intelligence Labs. Active since June 2024, the malware exploits an Amazon AWS S3 bucket as its Command and Control server to exfiltrate sensitive personal data including SMS messages, contacts,…
android
spyware
south korea
cloud security
data exfiltration
aws
mobile malware
2024-10-01
stealth techniques
Published: October 1, 2024
Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2021-44228, CVE-2017-11882, CVE-2024-21893
Downloadable IOCs: 7

TargetCompany’s Linux Variant Targets ESXi Environments

Since its discovery in 2021, TargetCompany has been evolving its techniques to circumvent security defenses employed by organizations; one such technique its use of a PowerShell script to bypass Antimalware Scan Interface (AMSI) and abuse of fully undetectable (FUD) obfuscator packers. A new varian…
ransomware
lockbit
execution
2024-06-06
vmware esxi
targetcompany
cloud security
vampire
Published: June 6, 2024
Downloadable IOCs: 3
Click here to see more Attack Reports