{"id":15935,"date":"2026-03-11T07:06:38","date_gmt":"2026-03-11T07:06:38","guid":{"rendered":"https:\/\/newestek.com\/?p=15935"},"modified":"2026-03-11T07:06:38","modified_gmt":"2026-03-11T07:06:38","slug":"12-ways-attackers-abuse-cloud-services-to-hack-your-enterprise","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15935","title":{"rendered":"12 ways attackers abuse cloud services to hack your enterprise"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Attackers are increasingly abusing trusted SaaS platforms, cloud infrastructure, and identity systems to blend malicious activity into legitimate enterprise traffic.<\/p>\n

Adversaries are pushing command and control (C2) through high-reputation services, including OpenAI and AWS, to blend in with normal business traffic and evade blocklists.<\/p>\n

The shift from \u201cliving off the land<\/a>\u201d to \u201cliving off the cloud\u201d reflects how attackers have adapted to the enterprise\u2019s migration of IT infrastructure to hybrid and cloud environments such as AWS, Azure, and Google Cloud.<\/p>\n

\u201cInstead of abusing local binaries like PowerShell or WMI [Windows Management Instrumentation] to evade detection, adversaries now leverage native cloud administrative tools, APIs, identity systems, and management consoles to operate using legitimate functionality,\u201d says Arif Khan<\/a>, head of threat hunting and response services at Mitiga. \u201cBecause cloud environments are inherently API-driven, attackers who obtain valid credentials or tokens can enumerate resources, extract data, escalate privileges, and maintain persistence through routine-looking administrative calls.\u201d<\/p>\n

Hacking cloud-based systems<\/a> bypasses traditional defenses that rely heavily on domain reputation and static blocklists. Running attack infrastructure from the cloud also makes attacks easier to mount.<\/p>\n

\u201cAttackers are increasingly using legitimate cloud services as part of their attack infrastructure,\u201d says Fredrik Almroth<\/a>, security researcher and co-founder at Detectify. \u201cInstead of operating their own command-and-control servers, they route traffic through trusted platforms like cloud storage, collaboration tools, or AI APIs. To defenders, it can look like routine traffic to a reputable provider.\u201d<\/p>\n

Below are some examples of how attackers are increasingly abusing cloud-based services to mount a variety of attacks.<\/p>\n

Covert command-and-control via cloud-hosted productivity tools<\/h2>\n

Researchers from Google and Mandiant recently disrupted a suspected Chinese cyber-espionage operation (UNC2814)<\/a> that was abusing legitimate Google Sheets functionality to evade detection.<\/p>\n

The Gridtide malware at the center of the campaign connected to a threat actor\u2013controlled Google spreadsheet for C2, effectively allowing it to blend in with normal network traffic.<\/p>\n

The malware treats Google Sheets as a live C2 database, using a Service Account token to poll specific cells for instructions before writing results from tasks back into adjacent columns.<\/p>\n

\u201cThis is part of an ongoing trend of actors increasingly finding success in abusing SaaS platforms as an alternative to creating and maintaining their own custom infrastructure,\u201d according to Google\u2019s researchers.<\/p>\n

Hiding command-and-control in trusted APIs<\/h2>\n

Attackers are also forging malware that routes C2 traffic through trusted services such as OpenAI APIs.<\/p>\n

For example, the SesameOp backdoor routes traffic through OpenAI\u2019s Assistants API<\/a>, masking C2 communications as legitimate AI development work.<\/p>\n

\u201cIn cases such as the SesameOp backdoor<\/a>, traffic looks like normal AI development activity,\u201d says Parthiban Jegatheesan<\/a>, managing director at Peneto Labs. \u201cTo security tools, it blends in with legitimate business use, making it much harder to block without breaking real workflows.\u201d<\/p>\n

Malware such as VEILDrive<\/a> and malign variants of the Havoc Framework post-exploitation framework abuse the Microsoft Graph API.<\/p>\n

\u201cThe malware authenticates to a legitimate corporate SharePoint or OneDrive tenant where it utilizes Graph API to read command files such as cmd.txt<\/code> and write \u2018output\u2019 files (e.g., results.json<\/code>) directly into a folder that looks like a user\u2019s personal backup,\u201d explains Kwangyun Keum, a senior offensive security engineer.<\/p>\n

Malware staging in object storage<\/h2>\n

Attackers are increasingly storing second-stage payloads or configuration files in cloud storage services \u2014 for example, S3-compatible buckets \u2014 instead of their own servers.<\/p>\n

\u201cThese files are pulled down only when needed, reducing the malware footprint on disk and allowing attackers to swap payloads without redeploying malware,\u201d Peneto Labs\u2019 Jegatheesan says.<\/p>\n

Data exfiltration via trusted services<\/h2>\n

Attackers have also shifted from traditional FTP drops or risky pastebin (text storage) sites to exfiltrating massive troves of sensitive data via everyday cloud-based corporate communication tools such as Slack and Discord, according to Nicholas Carroll, manager cyber incident response at Nightwing.<\/p>\n

Carroll says that in recent attack campaigns threat actors \u201cconfigured compromised servers to execute HTTPS POST requests to\u00a0api.slack.com,\u00a0hooks.slack.com, or\u00a0discord.com,\u201d using these endpoints to exfiltrate \u201cheavily monitored secrets such as AWS Access Keys, SSH keys, and internal API tokens directly into attacker-controlled chat channels.\u201d<\/p>\n

Hybrid and multi-stage kill chains entirely inside the cloud<\/h2>\n

Several campaigns demonstrate full cloud-native attack chains, including one campaign linked to a Chinese cyberespionage group.<\/p>\n

\u201cSince March 2024, Genesis Panda<\/a> has systematically weaponized cloud services across the full attack chain \u2014 querying AWS Instance Metadata Service (IMDS) for credential harvesting, using cloud storage for payload hosting, routing C2 through domains impersonating legitimate cloud services, and using cloud compute for data exfiltration,\u201d says Diptamay Sanyal<\/a>, principal engineer for data, AI, and cybersecurity at CrowdStrike.<\/p>\n

\u201cThe cloud isn\u2019t a target here \u2014 it\u2019s the entire operational backbone,\u201d Sanyal adds.<\/p>\n

Phishing and social engineering via trusted platforms<\/h2>\n

Attackers are increasingly hosting lures and login pages on legitimate cloud infrastructure.<\/p>\n

For example, Russia-nexus hacking group Cozy Bear (APT 29) delivered phishing links redirecting to authentic Microsoft login pages, removing the most common phishing red flag \u2014 suspicious domains.<\/p>\n

\u201cVictims only ever saw legitimate Microsoft infrastructure, making traditional URL-based detection useless,\u201d says CrowdStrike\u2019s Sanyal.<\/p>\n

Serverless and ephemeral infrastructure abuse<\/h2>\n

Attackers are abusing serverless services, such as AWS Lambda or Azure Functions, to conduct network reconnaissance and scanning.<\/p>\n

The tactic was deployed during the HazyBeacon campaign targeting governmental entities in Southeast Asia<\/a> and uncovered by Palo Alto Networks\u2019 Unit 42 threat intel division.<\/p>\n

\u201cInstead of scanning a target from a single compromised server, which gets its IP blocked immediately, the attacker spins up thousands of ephemeral Lambda functions,\u201d says Kaveh Ranjbar<\/a>, co-founder and CEO of Whisper Security, and ex-CIO\/CTO of RIPE NCC. \u201cEach function scans a small slice of the target network and then dies.\u201d<\/p>\n

The traffic originates from high-reputation Amazon IPs that rotate constantly. Enterprise firewalls cannot block these IPs without breaking their own access to legitimate AWS services. \u201cThe attacker effectively \u2018launders\u2019 their traffic through Amazon\u2019s reputation,\u201d Ranjbar adds.<\/p>\n

Cloud tunneling<\/h2>\n

Adversaries are bypassing inbound firewall rules by utilizing legitimate \u2018tunneling\u2019 services hosted on major cloud providers.<\/p>\n

\u201cAn attacker compromises an internal server but cannot open a port to listen for commands due to the corporate firewall,\u201d Whisper Security\u2019s Ranjbar explains. \u201cSo, they install a Cloudflare Tunnel or ngrok agent. This agent initiates an outbound connection to the cloud provider, which is usually allowed.\u201d<\/p>\n

Ranjbar adds: \u201cTo the security team, this looks like legitimate, encrypted HTTPS traffic going to Cloudflare or AWS. In reality, it is a stable C2 channel that tunnels right through the perimeter defenses using trusted infrastructure as the carrier.\u201d<\/p>\n

EBS snapshot sharing<\/h2>\n

Cybercrime groups such as Scattered Spider<\/a> and Storm-0501 abuse the \u201csnapshot sharing technique,\u201d creating a high-impact IaaS attack vector in the process.<\/p>\n

The approach bypasses traditional network security by weaponizing the cloud\u2019s management layer.<\/p>\n

\u201cRather than downloading malicious files, the adversary creates a snap \u2018photograph\u2019 of the victim server\u2019s entire hard drive and simply \u2018shares\u2019 it using the ModifySnapshotAttribute API with an external cloud account the attackers control,\u201d says offensive security engineer Keum. \u201cThe attacker subsequently restores the snapshot and then perform attacks such as \u2018offline\u2019 credential dumping.\u201d<\/p>\n

Trust abuse via Entra ID tenant relationships<\/h2>\n

China-nexus actor Murky Panda<\/a> compromised upstream IT service providers to silently pivot into downstream victims through trusted Entra ID (formerly Azure AD) tenant connections, according to CrowdStrike.<\/p>\n

Hacking into Entra ID tenant configurations to gain admin privileges is also a feature of ransomware group Storm-0501\u2019s tradecraft<\/a>.<\/p>\n

Pulling secrets directly from cloud vaults<\/h2>\n

Groups such as Storm-0501 have abused cloud-native secrets stores such as AWS Secrets Manager to harvest credentials as part of its broader ransomware and extortion campaigns.<\/p>\n

\u201cInstead of dumping credentials from endpoints, attackers query secrets directly through cloud APIs,\u201d says Peneto Labs\u2019 Jegatheesan. \u201cThis avoids endpoint detection and shifts the attack into places many security teams monitor less closely.\u201d<\/p>\n

Touching the void<\/h2>\n

Miscreants have even built cloud-native malware made up of custom loaders, implants, rootkits, and modular plugins, and designed to achieve persistence on compromised targets.<\/p>\n

For example, VoidLink<\/a> is a highly advanced malware framework purpose-built to compromise major cloud infrastructures such as AWS, Azure, GCP, and Kubernetes clusters. The framework, apparently built and maintained by Chinese-affiliated developers, was first identified by researchers from Check Point.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Attackers are increasingly abusing trusted SaaS platforms, cloud infrastructure, and identity systems to blend malicious activity into legitimate enterprise traffic. Adversaries are pushing command and control (C2) through high-reputation services, including OpenAI and AWS, to blend in with normal business traffic and evade blocklists. The shift from \u201cliving off the land\u201d to \u201cliving off the cloud\u201d reflects how attackers have adapted to the enterprise\u2019s migration… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15935","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15935","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15935"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15935\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15935"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15935"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15935"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}