All news with #cloud account compromise tag

🔐 Breakglass Intelligence reports that China-aligned APT41 is deploying an obfuscated Linux ELF backdoor to harvest cloud credentials across AWS, GCP, Azure and Alibaba Cloud. The implant uses a selective SMTP-based C2 over port 25 and typosquatted Alibaba-themed domains hosted in Singapore to exfiltrate tokens and metadata while avoiding scanners. The malware queries instance metadata endpoints (169.254.169.254), sends stolen IAM, service account and managed identity credentials, and emits periodic UDP broadcasts to 255.255.255.255:6006 to coordinate lateral movement. Defenders should monitor SMTP egress, unusual metadata access, unknown ELF binaries, and connections to Alibaba-lookalike domains.

🪙 Bitcoin Depot confirmed on March 23, 2026 that an unauthorized actor accessed portions of its corporate IT environment and transferred approximately 50.903 BTC (about $3.665 million) from company-controlled wallets. The operator of more than 25,000 Bitcoin ATMs said it promptly activated incident response protocols, engaged external cybersecurity experts, and notified law enforcement while believing customer platforms and systems were not affected. On April 6, the company declared the incident material and warned that its cyber insurance may not cover all losses as the investigation continues.

🔐 Over a dozen companies experienced data theft after attackers used stolen authentication tokens from a breached SaaS integrator to access cloud accounts. The majority of observed incidents targeted Snowflake, which reported "unusual activity" and said a small number of customer accounts were impacted. Snowflake emphasized that its systems were not compromised and that it locked down potentially affected accounts and notified customers. BleepingComputer sources point to an alleged breach at Anodot, and the extortion gang ShinyHunters claims responsibility.

🔒 Unit 42 details how widespread Kubernetes attacks—driven by identity theft and exposed services—enable escalation from containers into cloud backends. The report highlights stolen service account tokens and the rapid exploitation of React2Shell (CVE-2025-55182), showing how attackers extract mounted tokens and cloud credentials. Practical mitigations include strict RBAC, short-lived projected tokens, runtime telemetry, and API audit logging. Unit 42 maps these behaviors to MITRE ATT&CK and provides detection examples.

🔒 Hims & Hers says support tickets were exfiltrated from its Zendesk instance after threat actors accessed a third-party customer service platform via a compromised Okta SSO account. The company reports the activity occurred Feb 4–7, 2026, was first noticed on Feb 5, and that an internal investigation concluded on March 3 that certain tickets were accessed or acquired without authorization. Potentially exposed information includes names, contact details, and other request-related data; the company states no medical records or doctor communications were affected and is offering 12 months of credit monitoring to impacted individuals.

🔒 Check Point Research identified an Iran-linked password-spraying campaign targeting Microsoft 365 cloud environments carried out in three waves on March 3, March 13, and March 23. The campaign primarily focused on Israel and the UAE, affecting more than 300 organizations in Israel and over 25 in the UAE. Activity tied to the same actor was also observed against a limited number of targets in Europe, the United States, the United Kingdom, and Saudi Arabia. These attempts seek account takeover and cloud footholds, highlighting the need for strengthened access controls and faster detection.

🔐The European Commission has confirmed a cyber-attack affecting cloud infrastructure that hosts the Europa.eu platform and says early findings indicate data were taken. The incident was detected on March 24 and announced on March 27; containment and forensic measures were deployed while internal systems reportedly remained unaffected. Screenshots and claims from ShinyHunters allege a roughly 350GB haul including mail servers, databases, NextCloud content and employee PII, and researchers warn the compromise could expose DKIM keys, SSO directories and other sensitive assets.

🔒 The European Commission is investigating a cyberattack on its Europa.eu platform after a threat actor claimed to have exfiltrated more than 350GB of data from compromised AWS accounts. The attacker told a security reporter they intend to publish the stolen files rather than extort the Commission. The Commission said public websites remain available, internal systems were unaffected, and containment and mitigation measures were implemented while inquiries continue.

🔒 The European Commission is investigating a security breach after a threat actor gained access to an Amazon cloud account used to manage Commission infrastructure. The actor claims to have exfiltrated over 350 GB of data, including multiple databases, and provided screenshots as proof while stating they will not extort the Commission but may leak the data later. The Commission's cybersecurity incident response team detected the incident quickly and is investigating; the case follows a January MDM compromise linked to other EU institution attacks.

🔒 The European Commission is investigating a security breach after a threat actor accessed an Amazon cloud account used to manage Commission infrastructure. Sources say the intrusion was quickly detected and that the Commission's cybersecurity incident response team is now probing the incident. The actor claims to have stolen 350 GB of data, including multiple databases, and provided screenshots showing access to employee information and an internal email server. The actor says they will not extort the Commission but may leak the data later.

🔒 CISA urged U.S. organizations to strengthen Microsoft Intune administrative controls after a cyberattack exploited Intune to wipe devices at medical technology firm Stryker. Attackers allegedly created a new Global Administrator account, exfiltrated data, then used Intune’s built‑in wipe to erase nearly 80,000 devices. CISA recommended least‑privilege RBAC, enforced MFA via Microsoft Entra, privileged‑access hygiene, and multi‑admin approval for sensitive actions to reduce similar risks.

🔐 Attackers increasingly leverage trusted cloud platforms and SaaS APIs to blend malicious activity into routine enterprise traffic. Campaigns such as Gridtide and SesameOp demonstrate adversaries using Google Sheets, OpenAI APIs and cloud storage as covert command-and-control and staging vectors. By operating through legitimate identity systems, management consoles, and ephemeral serverless functions, attackers evade network defenses and static blocklists. The result is harder detection, easier credential harvesting, and persistent access across hybrid environments.

🔒 Google links the North Korean actor UNC4899 to a 2025 cloud compromise that leveraged personal-to-corporate file transfers (AirDrop) and malicious code embedded in a shared archive. Attackers pivoted from a compromised developer device into Google Cloud, abused CI/CD and Kubernetes workflows, and manipulated Cloud SQL to extract funds. The campaign employed living-off-the-cloud techniques and persisted by injecting commands into deployment configurations. Recommended mitigations include phishing-resistant MFA, strict secrets management, and restricting P2P file sharing on corporate endpoints.

🔒 In December 2025, Zscaler ThreatLabz exposed the Ruby Jumper campaign linking North Korea's ScarCruft to a novel multi-stage intrusion that abuses cloud storage and removable media. The attack begins with a malicious LNK that launches PowerShell to extract an embedded decoy document and multiple payloads, including the in-memory loader RESTLEAF. RESTLEAF uniquely leverages Zoho WorkDrive for C2 to fetch shellcode and stage follow-on components, while SNAKEDROPPER, THUMBSBD, and VIRUSTASK enable persistence, surveillance, and propagation to air-gapped systems via USB.

⚠️ Sysdig researchers observed an AI-assisted intrusion in November 2025 that converted exposed AWS credentials in a public S3 bucket into full administrative control in under eight minutes. The attackers exploited an IAM user with Lambda and limited Amazon Bedrock access, injected malicious code into an existing Lambda function, and generated admin keys from the function output. They then moved laterally across multiple principals, invoked multiple foundation models (LLMjacking), disabled model-invocation logging, and attempted to provision costly GPU instances to run ML workloads. Sysdig recommends enforcing least privilege, restricting UpdateFunctionCode and PassRole, protecting S3 buckets, enabling Lambda versioning, and turning on Bedrock logging.

⚠️ Over recent months a global scam campaign has bombarded users with fraudulent cloud-storage renewal notices claiming payment failures and imminent deletion of photos and backups. The emails use auto-generated sender domains and links hosted on Google Cloud Storage that redirect to phishing pages impersonating cloud portals. Those pages run fake storage scans, promote unrelated affiliate products, and lead to checkout forms that collect credit card details. Delete these messages and verify billing only through official apps or websites.

🔎 Mandiant and Google GTIG observed an expansion of ShinyHunters-style campaigns using sophisticated vishing and victim-branded credential harvesting sites to steal SSO credentials and MFA codes. Compromised accounts were used to access a broadening set of cloud SaaS applications to locate confidential documents and PII for extortion. Activity attributed to clusters UNC6661, UNC6671, and UNC6240 includes harassment, DDoS, and Limewire-hosted proof samples. Organizations should adopt phishing-resistant MFA such as FIDO2 or passkeys and follow published hardening and detection guidance.

⚠️ A recent Pentera investigation discovered nearly 2,000 intentionally vulnerable security-testing web applications (DVWA, OWASP Juice Shop, Hackazon, bWAPP) exposed on the public internet, often running from overly privileged cloud accounts on AWS, GCP and Azure. Attackers exploited these instances to deploy crypto miners, install webshells and create persistence mechanisms, then pivot to sensitive cloud resources. Affected vendors including Cloudflare, F5 and Palo Alto Networks were notified and remediated issues. Pentera recommends inventories, isolation of test systems, enforcement of least-privilege IAM, and elimination of default credentials.

🔒 A recent Hudson Rock report reveals a threat actor known as Zestix (aka Sentap) harvested credentials from infostealer logs and accessed cloud file-sharing services such as ShareFile, Nextcloud and OwnCloud because affected organizations did not enforce multi-factor authentication. The actor exfiltrated and auctioned highly sensitive corporate and customer data. The incidents underscore persistent failures in credential hygiene, long-lived stolen credentials and the necessity of MFA and session invalidation.

🛡️Attackers abused Google Cloud Application Integration to send thousands of malicious emails that appeared to originate from the legitimate address noreply-application-integration@google.com. The messages impersonated routine enterprise notifications—voicemail alerts, file-access and permission requests—raising the chance recipients would click links or disclose credentials. Check Point observed 9,394 phishing emails targeting about 3,200 customers over 14 days.