A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques
Full databaseFeatured actors
Dive into the profiles of threat actors involved in cloud security incidents, shedding light on their motivations and tooling, to aid in risk assessment and threat modeling.
Dreambus botnet
The Dreambus botnet is adept at exploiting weaknesses in various Internet-facing applications, including PostgreSQL, Hadoop, Redis, and other popular software. The operators behind this activity appear to be financially motivated, as infections result in cryptojacking.
LAPSUS$
LAPSUS$ were notorious extortionists that managed to gain access to multiple large organizations throughout 2022 via social engineering and SIM swapping, and in some cases moved laterally into their targets’ cloud environments.
TeamTNT
TeamTNT is a financially motivated threat actor known for targeting misconfigured containers for cryptojacking. They have also been observed enumerating cloud environments and compromising their victim's credentials for various cloud services.Featured techniques
An overview of attack techniques used by threat actors in cloud security incidents, aligned with the MITRE ATT&CK matrix framework for additional context.
Featured incidents
A historical collection of past cloud security incidents and campaigns, offering insights into targeting patterns, initial access methods and effective impact.
Double supply chain attack (April 2023)
In March 2023, a North Korean threat actor (dubbed “SmoothOperator”) gained access to 3CX (VoIP vendor) and inserted a backdoor into their desktop product, which was used for targeting some of their customers - primarily crypto companies. Researchers later discovered 3CX themselves were infected via a supply chain attack on another company called Trading Technologies that occurred in November 2021.
PyLoose cryptomining campaign
In mid-2023, an unknown financially-motivated threat actor began targeting publicly exposed Jupyter Notebook instances to hijack them for running cryptomining operations. The threat actor deployed a fileless Python tool (dubbed “PyLoose”) that loaded an XMRig miner directly into memory.
From Docker image to cloud breach (April 2021)
On April 2021, Codecov was compromised by an unknown threat actor who abused their access to the company's cloud environment to conduct a supply chain attack. The threat actor gained initial access to Codecov's GCP environment by extracting an HMAC key for a service account from a public Docker image created by Codecov. The attacker then used this key to modify the version of Codecov Bash Uploader stored in Google Cloud Storage and available to download for end-users, inserting a malicious payload to be executed in customer environments. Multiple Codecov customers are known to have been impacted by this supply chain attack, with the threat actor managing to exfiltrate data from their environments.
FAQ
The Cloud Threat Landscape is a curated public instance of Wiz Research’s internal cloud threat intelligence database, summarizing information about publicly disclosed cloud security incidents and campaigns. Additionally, the database lists threat actors known to have compromised cloud environments, the tools and techniques in their arsenal, and the technologies they prefer to target.
Crying Out CloudThe Newsletter
Sign up to receive the latest updates in cloud security directly to your inbox
World class research into cloud attacks
- Incidents documented
0
- Actors profiled
0
- Technologies targeted
0
- Techniques explained
0