All news with #cloud account compromise tag

🔒 Hims & Hers says support tickets were exfiltrated from its Zendesk instance after threat actors accessed a third-party customer service platform via a compromised Okta SSO account. The company reports the activity occurred Feb 4–7, 2026, was first noticed on Feb 5, and that an internal investigation concluded on March 3 that certain tickets were accessed or acquired without authorization. Potentially exposed information includes names, contact details, and other request-related data; the company states no medical records or doctor communications were affected and is offering 12 months of credit monitoring to impacted individuals.

🔒 Check Point Research identified an Iran-linked password-spraying campaign targeting Microsoft 365 cloud environments carried out in three waves on March 3, March 13, and March 23. The campaign primarily focused on Israel and the UAE, affecting more than 300 organizations in Israel and over 25 in the UAE. Activity tied to the same actor was also observed against a limited number of targets in Europe, the United States, the United Kingdom, and Saudi Arabia. These attempts seek account takeover and cloud footholds, highlighting the need for strengthened access controls and faster detection.

🔐The European Commission has confirmed a cyber-attack affecting cloud infrastructure that hosts the Europa.eu platform and says early findings indicate data were taken. The incident was detected on March 24 and announced on March 27; containment and forensic measures were deployed while internal systems reportedly remained unaffected. Screenshots and claims from ShinyHunters allege a roughly 350GB haul including mail servers, databases, NextCloud content and employee PII, and researchers warn the compromise could expose DKIM keys, SSO directories and other sensitive assets.

🔒 The European Commission is investigating a cyberattack on its Europa.eu platform after a threat actor claimed to have exfiltrated more than 350GB of data from compromised AWS accounts. The attacker told a security reporter they intend to publish the stolen files rather than extort the Commission. The Commission said public websites remain available, internal systems were unaffected, and containment and mitigation measures were implemented while inquiries continue.

🔒 The European Commission is investigating a security breach after a threat actor gained access to an Amazon cloud account used to manage Commission infrastructure. The actor claims to have exfiltrated over 350 GB of data, including multiple databases, and provided screenshots as proof while stating they will not extort the Commission but may leak the data later. The Commission's cybersecurity incident response team detected the incident quickly and is investigating; the case follows a January MDM compromise linked to other EU institution attacks.

🔒 The European Commission is investigating a security breach after a threat actor accessed an Amazon cloud account used to manage Commission infrastructure. Sources say the intrusion was quickly detected and that the Commission's cybersecurity incident response team is now probing the incident. The actor claims to have stolen 350 GB of data, including multiple databases, and provided screenshots showing access to employee information and an internal email server. The actor says they will not extort the Commission but may leak the data later.

🔒 CISA urged U.S. organizations to strengthen Microsoft Intune administrative controls after a cyberattack exploited Intune to wipe devices at medical technology firm Stryker. Attackers allegedly created a new Global Administrator account, exfiltrated data, then used Intune’s built‑in wipe to erase nearly 80,000 devices. CISA recommended least‑privilege RBAC, enforced MFA via Microsoft Entra, privileged‑access hygiene, and multi‑admin approval for sensitive actions to reduce similar risks.

🔐 Attackers increasingly leverage trusted cloud platforms and SaaS APIs to blend malicious activity into routine enterprise traffic. Campaigns such as Gridtide and SesameOp demonstrate adversaries using Google Sheets, OpenAI APIs and cloud storage as covert command-and-control and staging vectors. By operating through legitimate identity systems, management consoles, and ephemeral serverless functions, attackers evade network defenses and static blocklists. The result is harder detection, easier credential harvesting, and persistent access across hybrid environments.

🔒 Google links the North Korean actor UNC4899 to a 2025 cloud compromise that leveraged personal-to-corporate file transfers (AirDrop) and malicious code embedded in a shared archive. Attackers pivoted from a compromised developer device into Google Cloud, abused CI/CD and Kubernetes workflows, and manipulated Cloud SQL to extract funds. The campaign employed living-off-the-cloud techniques and persisted by injecting commands into deployment configurations. Recommended mitigations include phishing-resistant MFA, strict secrets management, and restricting P2P file sharing on corporate endpoints.

🔒 In December 2025, Zscaler ThreatLabz exposed the Ruby Jumper campaign linking North Korea's ScarCruft to a novel multi-stage intrusion that abuses cloud storage and removable media. The attack begins with a malicious LNK that launches PowerShell to extract an embedded decoy document and multiple payloads, including the in-memory loader RESTLEAF. RESTLEAF uniquely leverages Zoho WorkDrive for C2 to fetch shellcode and stage follow-on components, while SNAKEDROPPER, THUMBSBD, and VIRUSTASK enable persistence, surveillance, and propagation to air-gapped systems via USB.

⚠️ Sysdig researchers observed an AI-assisted intrusion in November 2025 that converted exposed AWS credentials in a public S3 bucket into full administrative control in under eight minutes. The attackers exploited an IAM user with Lambda and limited Amazon Bedrock access, injected malicious code into an existing Lambda function, and generated admin keys from the function output. They then moved laterally across multiple principals, invoked multiple foundation models (LLMjacking), disabled model-invocation logging, and attempted to provision costly GPU instances to run ML workloads. Sysdig recommends enforcing least privilege, restricting UpdateFunctionCode and PassRole, protecting S3 buckets, enabling Lambda versioning, and turning on Bedrock logging.

⚠️ Over recent months a global scam campaign has bombarded users with fraudulent cloud-storage renewal notices claiming payment failures and imminent deletion of photos and backups. The emails use auto-generated sender domains and links hosted on Google Cloud Storage that redirect to phishing pages impersonating cloud portals. Those pages run fake storage scans, promote unrelated affiliate products, and lead to checkout forms that collect credit card details. Delete these messages and verify billing only through official apps or websites.

🔎 Mandiant and Google GTIG observed an expansion of ShinyHunters-style campaigns using sophisticated vishing and victim-branded credential harvesting sites to steal SSO credentials and MFA codes. Compromised accounts were used to access a broadening set of cloud SaaS applications to locate confidential documents and PII for extortion. Activity attributed to clusters UNC6661, UNC6671, and UNC6240 includes harassment, DDoS, and Limewire-hosted proof samples. Organizations should adopt phishing-resistant MFA such as FIDO2 or passkeys and follow published hardening and detection guidance.

⚠️ A recent Pentera investigation discovered nearly 2,000 intentionally vulnerable security-testing web applications (DVWA, OWASP Juice Shop, Hackazon, bWAPP) exposed on the public internet, often running from overly privileged cloud accounts on AWS, GCP and Azure. Attackers exploited these instances to deploy crypto miners, install webshells and create persistence mechanisms, then pivot to sensitive cloud resources. Affected vendors including Cloudflare, F5 and Palo Alto Networks were notified and remediated issues. Pentera recommends inventories, isolation of test systems, enforcement of least-privilege IAM, and elimination of default credentials.

🔒 A recent Hudson Rock report reveals a threat actor known as Zestix (aka Sentap) harvested credentials from infostealer logs and accessed cloud file-sharing services such as ShareFile, Nextcloud and OwnCloud because affected organizations did not enforce multi-factor authentication. The actor exfiltrated and auctioned highly sensitive corporate and customer data. The incidents underscore persistent failures in credential hygiene, long-lived stolen credentials and the necessity of MFA and session invalidation.

🛡️Attackers abused Google Cloud Application Integration to send thousands of malicious emails that appeared to originate from the legitimate address noreply-application-integration@google.com. The messages impersonated routine enterprise notifications—voicemail alerts, file-access and permission requests—raising the chance recipients would click links or disclose credentials. Check Point observed 9,394 phishing emails targeting about 3,200 customers over 14 days.

⚠️ Amazon GuardDuty and AWS automated monitoring identified a coordinated crypto‑mining campaign beginning November 2, 2025, that used compromised IAM credentials to deploy miners on Amazon EC2 and Amazon ECS. Attackers enumerated quotas and permissions, launched large EC2 fleets and ECS Fargate tasks from a malicious Docker Hub image, and used persistence techniques such as disabling API termination and creating public Lambda URLs. GuardDuty Extended Threat Detection correlated signals to surface critical attack sequences and AWS provides IoCs and mitigation guidance including strong identity controls, CloudTrail logging, Runtime Monitoring, and remediation playbooks.

🔒 Amazon Threat Intelligence has attributed with high confidence a years‑long campaign to Russia’s GRU, noting a shift in 2025 from exploiting software flaws to compromising misconfigured customer network edge devices. The actor has targeted enterprise routers, VPN concentrators, network management appliances and cloud-hosted edge instances, including some hosted on AWS, to gain initial access. This tactic supports credential harvesting, replay attacks and lateral movement while reducing attacker exposure and resource expenditure.

🔒 Recent research from the Wiz Customer Incident Response Team shows attackers are using exposed GitHub Personal Access Tokens (PATs) to retrieve GitHub Action Secrets and pivot into cloud environments. A read-level PAT can leverage GitHub’s API code search to locate secret references like "${{ secrets.SECRET_NAME }}" — and because those search API calls are not logged, discovery is stealthy. Once obtained, cloud provider credentials let attackers spin up resources, exfiltrate data, install malware, or persist while often evading detection. Organizations should treat PATs as privileged credentials: enforce expiration and rotation, remove cloud secrets from workflows, apply least privilege, and improve monitoring and developer training.

🔒 Salesforce says it revoked active access and refresh tokens tied to Gainsight-published applications after detecting unusual activity that may have enabled unauthorized access to some customers' CRM data. The company says the issue stems from the app's external connection rather than a vulnerability in Salesforce itself and temporarily removed those apps from the AppExchange. Affected customers have been notified and can contact Salesforce Help for assistance.