5 Attacks linked to Exposed Cloud credentials that are Shaking up the Cybersecurity Industry

At SISA, we understand the ever-evolving nature of cyber threats and the importance of staying one step ahead to protect your organization’s sensitive data and assets. Our dedicated team of experts is constantly monitoring various platforms, gathering intelligence, and analyzing the latest cyber threats to provide valuable insights into the latest cyber risks that can impact organizations.

This monthly post provides a condensed overview of the threats encountered throughout the month. Our team brings you five emerging attacks linked to exposed cloud credentials that you should be aware of, including North Korean hackers (“Jumpy Pisces”) collaborating with the Play ransomware group to leverage leaked credentials for ransomware deployment, the Chinese group Evasive Panda using CloudScout to hijack authenticated cloud sessions, the “EMERALDWHALE” campaign compromising over 10,000 Git repositories by exploiting exposed configuration files to steal cloud credentials, Chinese-linked “Pygmy Goat” malware targeting Sophos XG firewalls using compromised credentials to establish persistent control, and the VEILDrive campaign exploiting Microsoft’s cloud services and using stolen Azure Entra credentials to distribute malware and set up command-and-control channels.

Read on to discover more……………

1. Hackers Launch Sophisticated Attack with Play Ransomware 

North Korean threat actors, known as “Jumpy Pisces,” partnered with the Play ransomware group in recent attacks, leveraging compromised user accounts to gain unauthorized access. The attackers used these leaked credentials to move laterally, escalate privileges, and disable endpoint defenses, leading to the deployment of Play ransomware.

This collaboration, supported by the Sliver C2 framework and custom backdoors like Dtrack, highlights a shift in North Korea’s financial motivations towards using ransomware for revenue generation. The involvement of compromised accounts was crucial in bypassing security measures, allowing attackers to extract sensitive data and escalate their attacks. 

2. Evasive Panda Uses CloudScout to Hijack Cloud Accounts

China-linked cyber-espionage group Evasive Panda targeted government and religious entities in Taiwan using the CloudScout malware toolset, integrated with the MgBot framework. CloudScout hijacked authenticated cloud sessions by exploiting stolen cookies, bypassing regular login credentials to access services like Google Drive, Gmail, and Outlook.

Attackers leveraged the stolen cloud credentials to extract sensitive data, including emails, attachments, and folder listings, maintaining persistence in the cloud environment. The malware compressed stolen data into ZIP archives for exfiltration, using either MgBot or Nightdoor. This campaign highlights China’s strategic use of compromised cloud credentials for espionage across political and religious sectors.

3. Exposed Git Configurations Exploited to Steal Credentials  

The “EMERALDWHALE” campaign compromised over 10,000 Git repositories by exploiting exposed Git and Laravel configuration files to steal credentials, including cloud and database access keys. These leaked credentials were used to clone private repositories and sold on underground markets, highlighting the risks of improper secret management. Attackers used automated tools like MZR V2 and Seyzo-v2 to locate vulnerable repositories and extract credentials for cloud service providers and other platforms.

This campaign underscores the significant threat posed by leaked cloud credentials, which allowed attackers to maintain unauthorized access and expand their operations by cloning additional repositories.

4. ‘Pygmy Goat’ Targets Sophos XG Firewalls in Chinese-Linked Attacks

The UK’s NCSC analyzed “Pygmy Goat,” a sophisticated Linux malware targeting Sophos XG firewalls, linked to Chinese threat actors. This malware exploited a critical authentication bypass (CVE-2022-1040), allowing attackers unauthorized access to firewall user portals. Using compromised credentials, attackers established persistent, unauthorized control over these devices.

Pygmy Goat hijacked SSH sessions with the LD_PRELOAD technique, intercepting SSH traffic to maintain remote access. Once connected, attackers used encrypted ICMP payloads to execute commands, manage network traffic, and set up backdoor sessions for further compromise. By leveraging leaked credentials, Pygmy Goat enabled deep access into compromised environments, emphasizing the ongoing risks posed by credential abuse in targeted attacks against critical network infrastructure.

5. A Sophisticated Attack Using Microsoft for Malware Distribution

The VEILDrive campaign exploited Microsoft’s cloud services—such as Teams, SharePoint, Quick Assist, and OneDrive—using spear-phishing to distribute malware and leverage compromised cloud credentials. Attackers used credentials from previously breached organizations (Org A and Org B level) to impersonate trusted entities, targeting Org C’s employees and bypassing conventional security measures.

The malware used OneDrive accounts with hardcoded Azure Entra credentials to set up command-and-control (C2) channels, enabling the attackers to issue commands through Microsoft Graph API. By leveraging legitimate Microsoft SaaS platforms, the attackers maintained persistence, complicated detection, and executed a multi-stage attack that blended espionage and financially motivated tactics against critical infrastructure targets in the U.S.

Key recommendations to combat cyber risks: 

• Implement Multi-Factor Authentication (MFA) to strengthen security, especially for privileged accounts.
• Enforce least privilege access controls to limit permissions to only those essential for user functions.
• Regularly rotate and update credentials and secrets to reduce risks from compromised information.
• Conduct regular security audits and penetration testing to identify and mitigate vulnerabilities.
• Implement strong encryption for sensitive data at rest and in transit to prevent data breaches.
• Use advanced threat detection tools to monitor for unusual activities and potential threats.
• Segment networks to limit lateral movement and reduce the scope of potential attacks.
• Train employees on phishing awareness and other social engineering techniques.
• Restrict remote access and monitor for high-risk activities to secure systems.