Advanced Persistent Threats in Cloud

🚨 ☁️ - New Recorded Future Insikt Group report! This is essential reading for anyone building or defending in modern hybrid, SaaS-heavy, or cloud-native environments. The report outlines a clear and uncomfortable reality: cloud environments are now central to how threat actors operate, not just a peripheral target. Please read and share with your networks! Our analysis highlights five key threat vectors shaping the current cloud threat landscape: cloud abuse, exploitation, endpoint misconfiguration, cloud ransomware, and credential abuse. What emerges is a picture of attackers who are not only exploiting misconfigured or vulnerable infrastructure but actively adopting cloud-native tooling and services for persistence, evasion, and impact. 🔑 Cloud abuse, in particular, is no longer rare — it’s routine. Threat actors are standing up their own infrastructure in AWS, Azure, Google Cloud, and even lesser-known providers, blending in with legitimate traffic to host C2 nodes, phishing kits, and credential harvesting sites. In some cases, they’re compromising victim cloud environments directly to mine cryptocurrency, exfiltrate data, or abuse expensive APIs like those tied to large language models — a tactic now known as “LLMjacking.” Initial access often starts with the usual suspects: misconfigured endpoints and exposed secrets or credentials, many of which are still discovered en masse through open-source scanners and repos. Credential abuse remains a direct path to full-tenant compromise, especially in environments lacking basic protections like passwordless auth or adaptive MFA. Threat actors have shown a growing ability to escalate privileges and maintain access by manipulating identity federation, forging SAML tokens, and abusing synchronization accounts — making cloud identity a persistent battleground. What makes this report especially valuable is that it doesn’t stop at threat modeling. It provides practical, grounded mitigation and detection strategies aligned to each phase of the attack chain. These include monitoring for suspicious cloud API usage, spotting unauthorized data exfiltration via storage buckets, detecting anomalous access patterns, and reinforcing controls over third-party and federated identities. It also urges organizations to revisit assumptions around visibility — many cloud compromises go unnoticed until the financial or operational damage is done, and native logging alone isn’t enough to catch sophisticated misuse. What’s most striking, though, is the strategic shift underway. Threat actors increasingly rely on cloud infrastructure not just as a target, but as a core part of their kill chain. As adoption accelerates, the question isn’t if cloud infrastructure will be targeted — it’s how much of your detection, logging, and identity controls are ready for when it is. Because at this stage, the cloud isn’t just someone else’s computer — it’s someone else’s kill chain.

We Mandiant (part of Google Cloud) have recently released a report looking at threat actors campaigns targeting #cloud environments during Q2, 2025. Some highlights; From April through June 2025, Google Threat Intelligence Group (#GTIG) observed threat actors with varying motivations accessing cloud assets and leveraging cloud-based services in intrusion operations. These threat actors used their illicit access to cloud resources to conduct data theft, data theft extortion, financial fraud, fraudulent employment, and #ransomware. Threat actors leveraged compromised identities in 76% of the total intrusions affecting cloud resources in Q2 2025, gaining access to victim environments predominantly through voice #phishing (#vishing) and stolen credentials. We also observed instances involving email phishing and messaging apps, fraudulent employment of Democratic People's Republic of Korea (DPRK) IT workers (ITWs), and where a compromise of a trusted third-party provider were also leveraged for illicit access. In this quarter, actors also exploited #Ivanti and #Fortinet vulnerabilities for initial access. Our report includes a case study that details actor tactics, techniques, and procedures (#TTP) associated with an espionage group that leveraged #Azure Service Principals related to a third-party data protection cloud service provider they compromised prior to gaining subsequent access to multiple downstream victims. The graphic below depicts the main motivation of the activity, based on #Mandiant services investigations and engagements. Defensive recommendations are included to address certain activities observed from these case studies. MITRE ATT&CK techniques observed in incidents involving cloud resources in Q2 2025 are also listed in the full report. If you want to learn how we assess, protect, and harden our client environments from these types of threats, please reach out. Our full report is available here for Google Threat Intelligence (#GTI) customers - https://lnkd.in/gEWepVC8 #infosec #cybersecurity #CISO #DFIR #malware #cyberespionage #AWS #GCP #APT

THREAT PROFILE: TEAMPCP — THE EVOLUTION OF RANSOMWARE INTO CLOUD-NATIVE CYBERCRIME ℹ️ TeamPCP (aka PCPcat, ShellForce, and DeadCatx3) operates as a cloud-native cybercrime platform, not a single-purpose malware gang. The PCPcat campaign demonstrates a full lifecycle of scanning, exploitation, persistence, tunneling, data theft, and monetization built specifically for modern cloud infrastructure. ℹ️ The group weaponizes exposed control planes rather than exploiting endpoints. Misconfigured Docker APIs, Kubernetes APIs, Ray dashboards, Redis servers, and vulnerable React/Next.js applications serve as the primary infection vectors. Once a single workload is compromised, TeamPCP pivots laterally across entire clusters. ℹ️ Data theft and extortion are integrated into the operation and are practiced via Telegram groups. Infrastructure supports multiple monetization paths. Compromised servers are repurposed for cryptomining (XMRig), proxy and tunneling networks (FRPS, gost), C2 relays (Sliver), scanning, and data hosting. ℹ️ The majority of leaked data comes from Western countries’ organizations in e-commerce, finance, and HR. TeamPCP predominantly targets cloud infrastructure over end-user devices, with Azure (61%) and AWS (36%) accounting for 97% of compromised servers. This strengthens our claim that they target cloud environments. 📍 PCPCAT CAMPAIGN — SIMPLE ATTACK PHASES ■ Discovery: Automated scanning for exposed cloud services and misconfigurations (Kubernetes, Docker, Redis, web apps). ■ Initial Access: Exploits vulnerabilities to gain remote execution and establish a foothold in cloud workloads. ■ Reconnaissance: Identifies cloud environments, discovers containers and credentials, and maps infrastructure. ■ Lateral Movement: Harvests credentials and expands control across containers and cluster nodes. ■ Persistence: Deploys privileged workloads to maintain long-term access and enable reinfection. ■ Payload Deployment: Installs ransomware, cryptominers, and proxy tools connected to C2 infrastructure. ■ Monetization: Generates revenue via ransomware, cryptomining, proxy services, and data theft. 📌 Source: Flare 🔗 https://lnkd.in/d9A35_bG #teampcp #threathunting #threatdetection #threatanalysis #threatintelligence #cyberthreatintelligence #cyberintelligence #cybersecurity #cyberprotection #cyberdefense

Amazon discovers Advanced Persistent Threat (APT) exploiting Cisco and Citrix zero-days Amazon has successfully used its massive scale to detect Advanced Persistent Threats (APTs)—specifically Russian (APT29/Midnight Blizzard) and suspected Chinese actors (Volt Typhoon)—exploiting critical vulnerabilities in Cisco and Citrix edge devices. The Citrix vulnerability: CVE‑2025‑5777 (“Bleed Two”) was being exploited before public disclosure, as detected by Amazon’s honeypot service. The Cisco ISE vulnerability: newly discovered by Amazon and now designated CVE‑2025‑20337 — an unauthenticated remote code-execution flaw in Cisco ISE. Exploits were observed before the vendor had issued a CVE or provided full patches. After exploiting the Cisco ISE vulnerability, the threat actor deployed a custom web shell disguised as a legitimate ISE component (“IdentityAuditAction”). The web shell is highly stealthy: in-memory only, uses Java reflection, hooks into Tomcat HTTP request handling, uses DES encryption with a non-standard Base64 variant, and listens on specific HTTP headers for activation. The fact that the actor had custom tooling and exploited multiple zero-days before disclosure indicates they are well-resourced and have advanced capabilities (vulnerability research or access to private disclosures). The targeting of identity and network-access control infrastructure (Cisco ISE, Citrix NetScaler) is notable: these components sit at the heart of enterprise security policy, authentication, and access management. Their compromise gives broad potential access. Amazon Web Services, Inc. Pre-auth remote code execution means even well-configured systems (which may not require login) are vulnerable. Amazon Web Services, Inc. Patching gaps (i.e., zero-day exploits before vendor mitigations) continues to be a major risk—especially for critical enterprise appliances. This revelation highlights a major shift in cybersecurity warfare: The Shift to "Edge" Devices: APTs are moving away from attacking endpoints (laptops/servers) which have antivirus (EDR) installed. Instead, they are attacking Edge Devices (Firewalls, Load Balancers, Routers) like Cisco and Citrix gear. These devices generally do not support antivirus software and sit on the perimeter of the network, making them the perfect blind spot. Amazon as a "Neighborhood Watch": Amazon is positioning itself not just as a cloud provider, but as a global security intelligence firm. By sharing this data with CISA, Cisco, and Citrix, they effectively acted as an early warning system for the entire internet. Living off the Land: The attackers used legitimate administrative tools present on the devices to hide their activity, making detection extremely difficult without the kind of "decoy" intelligence Amazon possessed.

Microsoft has issued a warning about Storm-0501, a threat actor that has significantly evolved its tactics, moving away from traditional #ransomware encryption on devices to targeting cloud environments for data theft, extortion, and cloud-based encryption. Instead of relying on conventional ransomware payloads, the group now abuses native cloud features to exfiltrate information, delete backups, and cripple storage systems, applying pressure on victims to pay without deploying malware in the traditional sense. #Storm0501 has been active since at least 2021, when it first used the #Sabbathransomware in attacks on organizations across multiple industries. Over time, it adopted ransomware-as-a-service (#RaaS) tools, deploying encryptors from groups such as #Hive, #BlackCat (#ALPHV), #HuntersInternational, #LockBit, and most recently, #Embargo ransomware. In September 2024, Microsoft revealed that the group was expanding into hybrid cloud environments, compromising Active Directory and pivoting into Entra ID tenants. During those intrusions, attackers established persistence with malicious federated domains or encrypted on-premises devices with ransomware like Embargo. https://lnkd.in/gda46tmP

The recent announcement of Google’s acquisition of Wiz highlights that cloud security continues to be a challenging issue. There is still much to be done. Below is Vigilocity Mythic’s view of malicious implant infections within and across several of the largest cloud providers in the last hour (map) and last seven days (charts). While the image only shows the US, the malicious traffic witnessed is indeed global. In other words, organizations that have set up ephemeral (or permanent) infrastructure in the cloud are still exhibiting confirmed evidence of infection despite the plethora of security controls and configurations that “should” be stopping this. Not only is it critical to understand your attack surface and vulnerable Internet facing assets, but perhaps even more importantly, it is imperative to identify and remove latent and persistent malicious implants deeply embedded in your cloud environments actively communicating with their threat actor handlers.