Jupyter Notebook cred harvesting campaign

Permiso identified a credential harvesting campaign targeting cloud infrastructure for the purpose of harvesting credentials. The majority of the victim system were running public facing Juptyer Notebooks. At the time of writing there were about 50 compromised systems. The initial infection for the compromised systems is not currently known, though suspected to be related to exploitation of vulnerable web applications.

The majority of the victims are running public facing Jupyter Notebooks or Kubenertes; at least 21 of the victims are running a publicly accessible Jupyter Notebooks instance.