Cloud intrusions increased significantly in the first half of 2025, rising 136% compared to all of 2024, as reported by CrowdStrike’s 2025 Threat Hunting Report.
Researchers noted that the data shows more attackers are learning to target cloud environments by exploiting misconfigurations, maintaining access, and moving laterally.
The explosion in cloud intrusions was partly driven by a 40% increase in Chinese-nexus actors exploiting these environments.
“China’s cyber espionage capabilities reached a critical inflection point over the past year, marked by increasingly bold targeting, stealthier tactics and expanded operational capacity,” the researchers wrote.
Two Chinese state-linked groups, Genesis Panda and Murky Panda, have proven skilled at operating in cloud environments over the past year.
Genesis Panda appears to act as a primary broker for future intelligence gathering. They have been noted for exploiting various web vulnerabilities to infiltrate cloud systems.
It effectively uses cloud services to increase access and maintain persistence, including targeting accounts of cloud service providers.
Murky Panda targets organizations in North America by exploiting cloud environments through trusted partnerships. They compromise suppliers to gain administrative access to the victim’s Entra ID tenant.
The group shows advanced skills, accessing rare malware like CloudedHope and rapidly exploiting zero-day vulnerabilities.
Enhanced Defense Evasion Techniques:
The CrowdStrike report, released on August 4 during Black Hat USA 2025, found that manual intrusions increased 27% year-over-year in H1 2025.
Threat actors are increasingly using manual navigation to find new ways to bypass outdated detection tools, enabling them to customize their tactics for specific targets.
This assists persistence and lateral movement in target systems, with the ultimate goal normally data exfiltration.
“Unlike automated attacks, interactive intrusions involve human operators who interact with systems in real time, adapting their tactics as need. They are typically more sophisticated and difficult to detect than automated attacks,” the researchers explained.
CrowdStrike OverWatch noted that five of the top 10 MITRE ATT&CK techniques used in the last year were for discovery. These techniques aid attackers in navigating a network while avoiding detection by security systems.
Defense evasion techniques like masquerading and tool modification were among the top 10 most used methods. They help attackers disguise their actions as normal network activity, facilitating other tactics like privilege escalation and credential access.
Scattered Spider Ramps Up Threat Activity:
CrowdStrike noticed the Scattered Spider cybercriminal gang increasing its activity in April 2025 after being mostly inactive from December 2024 to March 2025.
The actor is connected to several ransomware attacks on retail, aviation, and insurance sectors in the UK and US recently.
In June, UK authorities arrested four people for allegedly attacking three major British retailers associated with Scattered Spider.
Vishing attacks surged in H1 2025, surpassing all of 2024 in volume.
Scattered Spider actively uses voice phishing, often impersonating real employees to call an organization’s IT help desk and request password or MFA resets.
Researchers noted the advanced nature of this method, as Scattered Spider accurately provided the impersonated individuals’ employee IDs during identity verification at help desks.
“In one call where the adversary could not provide the impersonated employee’s ID, the threat actor offered to provide the employee’s date of birth and Social Security number as alternative verification credentials,” the researchers said.
InfoSecBulletin Cybersecurity for mankind
