Cado’s 2024 Threat Report: Key Findings and Emerging Trends

As cloud adoption continues to grow, so does the sophistication of cloud-based threats. Cado Security Labs' 2024 Threat Report provides a look at emerging cyber threats, evolving attack techniques, and key vulnerabilities that have been discovered and observed over the past year. Here, we offer a sneak peek into the report’s major findings and what they mean for cloud security.

Key Findings from the 2024 Report

1. New Services Exploited for Resource Hijacking

Resource hijacking—particularly cryptomining—remains a persistent threat in cloud environments. While XMRig miners continue to dominate, threat actors are expanding their scope, targeting new services such as Cloudflare WARP and Selenium Grid for initial access. Notably, Cado Security Labs identified the first known exploitation of Selenium Grid to deploy cryptominers. A previously undocumented miner, named Perfcc, was discovered in one campaign, while another campaign leveraged Selenium Grid for proxyjacking.

2. Misconfigured Services Are Still a Prime Target

Misconfigurations remain one of the most exploited vulnerabilities in cloud environments. Docker, Redis, Apache Hadoop YARN, and Confluence were among the most targeted services in 2024. One particularly notable campaign, Spinning YARN, exploited a wide array of cloud services to deploy malware and propagate cryptominers. Another attack, Commando Cat, used exposed Docker API endpoints to deliver a backdoor, cryptominer, and credential stealer—demonstrating the continued need for strong cloud security hygiene.

3. Rust and Golang Malware Continues to Rise

Rust and Golang remain go-to programming languages for malware developers. These languages allow threat actors to build cross-platform, highly evasive malware that is harder to analyze. In 2024, Cado Security Labs identified multiple campaigns leveraging Rust and Golang, including:

• Cthulhu Stealer, a Golang-based malware targeting macOS users.
• Meeten Campaign, a Rust-based attack stealing credentials from both macOS and Windows devices.
• P2PInfect, a Rust-based botnet that has evolved to include ransomware and cryptomining capabilities.

4. Evolution of P2PInfect Malware

The P2PInfect botnet, initially observed in 2023, underwent significant transformations in 2024. While it initially spread via Redis and SSH brute-force attacks, it has since incorporated ransomware functionality—demonstrating a shift toward more aggressive monetization tactics. This highlights the increasing overlap between botnets, cryptominers, and ransomware in cloud-targeted malware campaigns.

5. The Rise of Cloud-Specific Malware Campaigns

Threat actors are becoming more adept at targeting cloud services, leveraging novel attack techniques to exploit misconfigurations and weak access controls. Some of the most notable campaigns include:

• Perfcc Miner: First documented exploitation of Selenium Grid for cryptomining.
• Spinning YARN: A massive multi-vector Linux malware campaign targeting Apache Hadoop YARN, Docker, Redis, and Confluence.
• Meeten Stealer: A sophisticated Web3 scam using AI-generated fake companies to distribute Realst info-stealer malware.

Observations and Industry Trends

Cado Security Labs’ research reveals several critical trends shaping the cloud threat landscape:

• Threat actors are shifting their focus to new and emerging services such as Selenium Grid and Jenkins, indicating a broader attack surface.
• Misconfigurations remain the primary initial access vector for attackers, underscoring the importance of proactive security measures.
• Multi-functional malware strains combining cryptojacking, ransomware, and credential theft are becoming more prevalent, leading to more severe and financially motivated attacks.

Final Thoughts: Strengthening Cloud Security Posture

As organizations increasingly rely on cloud-based infrastructure, security teams must reassess their defenses to stay ahead of emerging threats. To mitigate risks, organizations should:

• Regularly audit cloud environments for misconfigurations and vulnerabilities.
• Minimize the attack surface by restricting public exposure of cloud services.
• Monitor logs and network traffic for anomalies indicative of exploitation attempts.
• Adopt robust detection mechanisms to identify emerging malware strains before they escalate.

The full 2024 Threat Report by Cado Security Labs provides in-depth technical analysis and actionable recommendations. Stay ahead of cyber threats—download the full report today to gain insights into the evolving cloud security landscape.