Hackers Mission Uncovered During a security assessment, the CloudLock CyberLab unearthed a significant threat that may impact your own organization.  Suspicious IP addresses were found…

Hackers Mission Uncovered

CloudLock CyberLab

Founded by Israeli Elite Cybersecurity Military Intelligence experts, the CloudLock CyberLab is a global team of leading security experts, analysts, penetration testers, incident responders, forensic investigators and security researchers focused on driving unique insight into cybersecurity threats related to the cloud.


During a security assessment, the CloudLock CyberLab unearthed a significant threat that may impact your own organization.  Suspicious IP addresses were found attempting to access the cloud platforms for multiple organizations performing login attempts across hundreds of user accounts. These activities are abnormal.

In the past few days 20 highly suspicious IP addresses were found across different geographies (UAE, Saudi Arabia, Bulgaria, Ukraine, etc.), affecting thousands of users. These numbers are growing by the hour.

What is the worry?

  • The activity details show that these actors are hitting login challenges – a mechanism used by Google adding a second login step (security question / SMS). This indicates that the attackers have the right password for many of these users, as they are not simply failing to login.
  • They are not attempting to pass the second (security question / captcha) level – rather stopping and discontinuing the effort. This is a strong indicator of a mass credentials verification effort. (e.g. to be released/sold)
  • When crossing the list of affected users against known databases of breaches (haveibeenpwned.com) the suspicion above was confirmed with 90% match of the IPs.

The Bottom Line

We believe what we are observing is a mass credentials verification.The same attackers may strike anytime or resell the credentials to other cybercrime use.

Below is the list of IP addresses:

IP Address ISP Info Country iomart hosting UK Mobily Corp. Saudi Arabia OVH Hosting Canada Emirates Telecommunications UAE Hetzner Online GmbH Germany 3BB Broadband Thailand Hetzner Online GmbH Germany Amazon Boardman, OR Choopa, LLC Los Angeles, CA HETZNER Germany Totalplay Telecomunicaciones Sa De Cv Mexico Lir.bg EOOD Bulgaria
2a01:7e0:0:405:0:0:0:10f3 First Colo GmbH Germany Privax Ltd. Houston, TX Hetzner Online GmbH Germany Maxnet Ltd., Kharkiv Ukraine Emirates Telecommunications Corporation United Arab Emirates Hetzner Online GmbH Germany Hetzner Online GmbH Germany Hetzner Online GmbH Germany

CyberLab Recommendations

  • Blacklist these IP addresses, create a policy to track activities from these IPs addresses to tie it back to all the relevant users.
  • You can also run ad hoc searchers to see any past violations.
  • Recycle passwords for affected users  across both cloud and on-premise systems
  • Review activity logs for these users across cloud and on-premise sources for possible evidence of breach or foul play.
  • As a best practice, consider monitoring databases with breached account informations (such as haveibeenpwned.com) to make sure your users are protected. Hackers are definitely doing this all the time and creating their own library of verified user credentials.

Browser Not Supported

Your browser version is outdated.

We would recommend you upgrade to a recent version to ensure that you have a good experience on the CloudLock site. Outdated browsers also increase your security risk. So please update your browser and come back later!

Click on the icon below to download the latest version of your browser