Full Report
Threat actors are doubling down on cloud infrastructure — exploiting misconfigurations, abusing native services, and pivoting through hybrid environments to maximize impact. See how attack patterns are evolving across exploitation, ransomware, credential abuse, and AI service targeting in this latest cloud threat roundup.
Analysis Summary
# Tool/Technique: Cloud-Native Post-Compromise Exploitation
## Overview
This technique involves threat actors eschewing traditional malware binaries in favor of "living off the cloud." Attackers leverage misconfigurations, stolen credentials, and native cloud APIs/services (AWS, Azure, GCP, SaaS) to conduct data exfiltration, ransomware operations, and command-and-control (C2). The primary goal is to blend in with legitimate administrative traffic and bypass traditional endpoint-based detection.
## Technical Details
- **Type:** Technique / Attack Framework (Living off the Cloud)
- **Platform:** AWS, Azure, Google Cloud Platform (GCP), SaaS (Microsoft 365, Salesforce), and CI/CD pipelines.
- **Capabilities:** Credential harvesting, native cloud encryption (Ransomware), API-based data exfiltration, and AI/LLM resource hijacking.
- **First Seen:** Ongoing; increased sophistication noted in 2024-2025.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1190 - Exploit Public-Facing Application]
- [T1078.004 - Valid Accounts: Cloud Accounts]
- **[TA0007 - Discovery]**
- [T1538 - Cloud Service Dashboard]
- [T1619 - Cloud Storage Object Discovery]
- **[TA0009 - Collection]**
- [T1530 - Data from Cloud Storage Object]
- **[TA0011 - Command and Control]**
- [T1102 - Web Service] (Abusing Calendar/Messaging services)
- **[TA0040 - Impact]**
- [T1486 - Data Encrypted for Impact] (via Cloud APIs)
- [T1531 - Account Access Removal]
## Functionality
### Core Capabilities
- **API-Driven Ransomware:** Instead of deploying binaries, actors use compromised administrative roles to rotate KMS (Key Management Service) keys or modify encryption settings on S3 buckets/Azure Blobs to lock out owners.
- **Cloud-Native Exfiltration:** Using native CLI tools (e.g., `aws s3 sync` or `az storage`) to move data directly from victim storage to attacker-controlled cloud buckets.
- **Identity Pivoting:** Transitioning from synchronized on-premises AD accounts to privileged cloud roles (e.g., Global Admin or Service Principals).
### Advanced Features
- **AI/LLM Hijacking:** Accessing victim ML instances to steal proprietary models, manipulate training data, or utilize expensive compute resources for unauthorized processing.
- **SaaS C2 Channels:** Using legitimate services like Google Calendar or Microsoft Teams as covert communication channels for C2 traffic to avoid domain filtering.
- **CI/CD Subversion:** Manipulating GitHub Actions or Jenkins pipelines to inject malicious code into trusted software repositories.
## Indicators of Compromise
- **File Hashes:** N/A (Focus is on non-binary activity).
- **Network Indicators:**
- Unusual API calls from unknown IP addresses to `*.amazonaws.com`, `*.windows.net`, or `*.googleapis.com`.
- Connections to defanged C2-over-SaaS domains: `calendar.google[.]com`, `graph.microsoft[.]com`.
- **Behavioral Indicators:**
- Rapid modification of bucket policies or IAM roles.
- Mass snapshots of EBS volumes/Virtual Disks by unrecognized service principals.
- Repeated failed logins to "Executive Identities" or "Non-human/Service Accounts."
- Unauthorized creation of high-compute GPU instances (GPU/AI resource hijacking).
## Associated Threat Actors
- **Scattered Spider (UNC3944):** Known for sophisticated identity-based cloud pivoting and social engineering.
- **APT Groups:** Increasingly using cloud-native tools for long-term cyber espionage and data theft.
## Detection Methods
- **Behavioral Detection:** Monitoring CloudTrail, Azure Monitor, and GCP Cloud Logging for "impossible travel" or anomalous API call spikes (e.g., `PutEncryptionConfiguration`).
- **Identity Analytics:** Tracking the use of "Living off the Cloud" binaries (LoLBins) like `rclone` or native cloud CLIs in non-developer environments.
- **Heuristic Scanning:** Identifying excessive permissions assigned to new service principals or "Shadow Admins."
## Mitigation Strategies
- **Zero Trust Architecture:** Implement strictly governed conditional access policies and Phishing-Resistant MFA (FIDO2).
- **Hardening:** Disable unused cloud regions and services; enforce the Principle of Least Privilege (PoLP) for non-human identities.
- **Immutable Backups:** Maintain offline or air-gapped backups that cannot be modified via standard cloud administrative APIs.
- **Infrastructure as Code (IaC) Scanning:** Scan templates (Terraform/CloudFormation) for misconfigurations before deployment.
## Related Tools/Techniques
- **Pacu / RogueCloud:** Frameworks used for cloud exploitation.
- **Shadow Admin Exploitation:** Elevating privileges via misconfigured IAM relationships.
- **Token Theft:** Stealing session tokens from developer workstations to bypass MFA.