Cloud Attack Retrospective: 8 Common Threats to Watch for in 2025
Attackers are innovating—but they’re still exploiting the basics.
In this report, we examine how threat actors approached cloud environments in 2024. Drawing from detection data across thousands of organizations, we highlight eight commonly observed MITRE ATT&CK techniques and offer practical guidance on how Wiz can help to detect and mitigate them.
Fact 1
35% of breaches originated from newly disclosed vulnerabilities
Attackers most commonly gained initial access by exploiting newly disclosed vulnerabilities, often targeting high-value edge appliances like PAN-OS and Aviatrix. The next most prevalent method was exploitation of public-facing applications (26%), where misconfigurations and exposed services gave threat actors an easy foothold into cloud environments.
Fact 2
1 in 3 environments using PostgreSQL are at risk of exploitation
While nearly 90% of cloud environments use self-managed PostgreSQL, Wiz found that 33% of them had at least one publicly exposed instance. Threat actors exploited these to deploy memory-resident cryptominers, as seen in the JINX-0126 (CPU_HU) campaign.
Fact 5
Attackers aren’t breaking in — they’re logging in: Valid creds remain a top cloud intrusion method
The use of valid accounts is a long-standing technique in intrusions—attackers leverage compromised but legitimate credentials to access systems and move laterally, often without triggering alerts. In cloud environments, this method remains common, but the signals and context differ from traditional enterprise networks.
Conclusions
The tactics may evolve, but the entry points remain familiar. Exposed services, unpatched software, and credential misuse continue to dominate the cloud attack landscape.
Download the full report to explore:
The 8 most common MITRE ATT&CK techniques used in the wild
Real examples of attacker behavior across modern cloud stacks
How Wiz enables cloud-native detection, prevention, and response