Threat Research

Datadog threat roundup: Top insights for Q1 2025

DataDogHQ

This report from Datadog highlights significant threats to cloud infrastructure and software supply chain security noted in Q1 2025. Key trends include the increased attention of threat actors on the cloud control plane, continued prevalence of Business Email Compromise (BEC) attacks, and various malicious campaign tactics in software repositories. Affected: Cloud infrastructure, Software supply chain, npm, PyPI

Keypoints :

  • Cloud control plane attacks make up 47% of identified threats in Q1 2025.
  • AWS services remain the most targeted, particularly with Amazon SES exploits.
  • Business Email Compromise (BEC) attacks account for 28% of incidents, highlighting evolving tactics.
  • Name-squatting in npm and PyPI observed, targeting developers with malicious packages.
  • Coordinated cryptojacking campaigns identified, notably targeting Linux developers.
  • Malicious packages led to the distribution of trojanized software and credential theft.
  • Threat actors specifically targeting developers using East Asian cloud services.
  • Unreported campaigns utilizing compromised npm packages for unauthorized access identified.
  • Cases of infrastructure abuse in educational sectors noted, involving censorship bypass tools.
  • Scanning activity from XorBot botnet observed to be increasing again after a brief drop.

MITRE Techniques :

  • MITRE Technique ID: T1078 – Valid Accounts: Attackers used valid account credentials to gain unauthorized access.
  • MITRE Technique ID: T1566 – Phishing: Business Email Compromise (BEC) relies on phishing tactics like inbox rule manipulation and OAuth consent phishing.
  • MITRE Technique ID: T1203 – Exploitation for Client Execution: Malicious Node.js scripts executed in the context of their environment.
  • MITRE Technique ID: T1205 – Exploit Public-Facing Application: Exploit of vulnerabilities in npm for malicious payload delivery.
  • MITRE Technique ID: T1056 – Input Capture: Malicious scripts were designed to exfiltrate credentials and system metadata.

Indicator of Compromise :

  • [IP Address] 80.78.28.72
  • [Malicious Domain] api.github.com
  • [URL] https://grammy.validator[.]icu
  • [Domain] 37.44.238[.]88
  • [File Hash] 512c85432f47149b04a2620dea12b2520857884e398b886d768468a16ced73d5

Full Story: https://securitylabs.datadoghq.com/articles/2025-q1-threat-roundup/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint