Octo Tempest — CraftedSignal Threat Feed

CrowdStrike Falcon Cloud Security Advances CNAPP with Adversary-Informed Risk Prioritization

hello@craftedsignal.io — Mon, 30 Mar 2026 06:43:41 +0000

CrowdStrike has enhanced its Falcon Cloud Security with new CNAPP (Cloud-Native Application Protection Platform) capabilities designed to provide more proactive and context-aware cloud security. These advancements address limitations in current CNAPP solutions, which often lack visibility into business applications, ignore adversary behavior, and result in endless triage due to a lack of causality information. The new features, including Application Explorer and adversary-informed risk prioritization, aim to provide security teams with the necessary context to understand cloud risks, prioritize remediation efforts, and quickly respond to potential breaches by threat actors, with a specific focus on groups like LABYRINTH CHOLLIMA and SCATTERED SPIDER who are known to target cloud environments. According to the CrowdStrike 2026 Global Threat Report, cloud-conscious intrusions by state-nexus threat actors surged 266% year-over-year in 2025, highlighting the need for improved cloud security measures.

Attack Chain

Initial Access: Adversaries gain initial access to the cloud environment through various means, such as exploiting misconfigurations or vulnerabilities in cloud services.
Discovery: Threat actors perform reconnaissance to discover cloud resources, services, and applications.
Lateral Movement: Attackers move laterally within the cloud environment, leveraging compromised credentials or exploiting vulnerabilities to access additional resources.
Privilege Escalation: Adversaries escalate privileges to gain higher-level access to critical cloud resources and data.
Data Access: Attackers access sensitive data stored in cloud storage resources, databases, or applications.
Exfiltration: The stolen data is exfiltrated from the cloud environment to an external location controlled by the attacker.
Impact: The exfiltration of sensitive data can lead to financial loss, reputational damage, and regulatory penalties for the victim organization.

Impact

A successful cloud breach can result in significant damage, including data theft, financial losses, and reputational harm. The enhanced CNAPP capabilities in CrowdStrike Falcon Cloud Security aim to mitigate these risks by providing organizations with better visibility into cloud assets, risk prioritization based on adversary behavior, and faster remediation capabilities. Specifically, organizations operating in sectors targeted by groups like LABYRINTH CHOLLIMA or SCATTERED SPIDER are at increased risk. In 2025, cloud intrusions increased dramatically, underscoring the urgent need for more effective cloud security measures.

Recommendation

Deploy the Application Explorer to gain visibility into how business applications run across cloud and on-premises environments and identify application-layer risks.
Utilize the adversary intelligence feature in Falcon Cloud Security to prioritize cloud risks based on the tactics, techniques, and procedures (TTPs) of known threat actors like LABYRINTH CHOLLIMA and SCATTERED SPIDER.
Monitor for overly permissive access to storage resources that connect to applications processing customer personally identifiable information (PII) using a rule like the one below to detect potential data breaches.
Implement the Sigma rule below to identify processes accessing cloud resources with unusual user agents, which can indicate unauthorized access attempts or exploitation activity.

CrowdStrike CNAPP Enhanced with Adversary-Informed Risk Prioritization

hello@craftedsignal.io — Sun, 29 Mar 2026 07:29:13 +0000

CrowdStrike has advanced its Cloud Native Application Protection Platform (CNAPP) by introducing new capabilities designed to provide security teams with improved context and prioritization for cloud risks. The enhanced CNAPP incorporates Application Explorer for application-layer visibility, allowing a unified view of applications running across cloud and on-premises environments. A key feature is the integration of adversary intelligence, which maps cloud risks to known threat actor profiles, such as LABYRINTH CHOLLIMA and SCATTERED SPIDER, enabling risk prioritization based on observed attacker behavior and targeted industries. These advancements aim to close security gaps and reduce breach risks, addressing the rise in cloud intrusions, which surged 266% year-over-year in 2025, as highlighted in the CrowdStrike 2026 Global Threat Report. The CNAPP enhancements also include runtime analysis to understand how applications interact with infrastructure, improving the ability to remediate issues effectively.

Attack Chain

Initial Compromise (Cloud Misconfiguration): An organization’s cloud environment contains misconfigured storage resources with overly permissive access. This is often a result of configuration drift or human error.
Discovery (Application Inventory): An attacker identifies the organization uses cloud-based infrastructure, and begins reconnaissance to determine publicly accessible services and data stores. They use publicly available cloud enumeration tools.
Privilege Escalation (Exploit Weak IAM): The attacker exploits weak Identity and Access Management (IAM) policies to gain access to a service account with broad permissions.
Lateral Movement (Application Dependency Mapping): The attacker identifies business-critical applications connected to the storage resource using application dependency mapping and runtime analysis.
Data Access (PII Exposure): The attacker accesses the compromised storage resource containing customer Personally Identifiable Information (PII) because the application processes sensitive data.
Exfiltration (Data Theft): The attacker exfiltrates the sensitive data to an external controlled server, leveraging the compromised service account.
Impact (Data Breach): The organization experiences a data breach, resulting in financial losses, reputational damage, and regulatory fines due to the exposed PII.

Impact

Successful exploitation of cloud misconfigurations and vulnerabilities can lead to significant data breaches, resulting in financial losses, reputational damage, and regulatory penalties. The 2026 Global Threat Report indicates a 266% surge in cloud intrusions by state-nexus threat actors in 2025, highlighting the increasing risk and potential for widespread impact across various sectors. Organizations operating in targeted industries, such as financial services (a known target of groups like LABYRINTH CHOLLIMA), face a higher likelihood of being compromised. The compromise of AI-driven applications can expose sensitive data to external AI services, further exacerbating the impact.

Recommendation

Deploy the Sigma rule “Detect Cloud Account with Excessive Permissions” to identify accounts with overly permissive access as described in the attack chain (related to Initial Compromise).
Leverage CrowdStrike’s adversary intelligence to prioritize cloud risks associated with threat actors like LABYRINTH CHOLLIMA and SCATTERED SPIDER (Adversary Intelligence for Cloud Risks).
Utilize Application Explorer to gain visibility into application dependencies and identify business-critical applications connected to cloud resources to focus remediation efforts effectively (Application Explorer).
Monitor cloud environments for suspicious activity using cloud-native logging and alerting mechanisms to detect lateral movement and data exfiltration attempts (Attack Chain steps 3-6).

CrowdStrike CNAPP Enhancements Prioritize Risk Based on Adversary Behavior

hello@craftedsignal.io — Sun, 29 Mar 2026 07:19:13 +0000

CrowdStrike has enhanced its Cloud Native Application Protection Platform (CNAPP) to prioritize cloud risks based on real-world adversary behavior, addressing limitations in traditional CNAPP solutions. These improvements correlate application-layer visibility with cloud infrastructure context, enabling security teams to understand how applications interact with services, access data, use credentials, and integrate AI components. Falcon Cloud Security maps cloud risks to known adversary profiles and observed techniques, allowing security teams to focus on conditions attackers target in documented intrusions. With threat intelligence from over 280 adversary groups, including LABYRINTH CHOLLIMA and SCATTERED SPIDER, organizations can better prepare their defenses against evolving cloud threats. This advancement aims to reduce alert fatigue and enable more effective remediation by aligning security efforts with actual adversary tactics. The enhancements were announced on March 24, 2026, and are designed to address the increasing number of cloud-conscious intrusions, which surged 266% year-over-year in 2025, as highlighted in the CrowdStrike 2026 Global Threat Report.

Attack Chain

Initial Compromise: Adversaries exploit misconfigurations or vulnerabilities in cloud infrastructure or applications to gain initial access.
Discovery: Using tools and techniques, the adversary performs reconnaissance to map out cloud assets, services, and dependencies, identifying potential targets.
Privilege Escalation: The attacker leverages compromised credentials or exploits vulnerabilities to elevate privileges within the cloud environment.
Lateral Movement: With elevated privileges, the adversary moves laterally across different cloud services and applications to access sensitive data.
Data Access: The threat actor accesses business-critical applications, customer PII, or AI components to exfiltrate data or cause disruption.
Exfiltration: Sensitive data is exfiltrated from the cloud environment to an external location controlled by the adversary.
Persistence: Adversaries establish persistence mechanisms to maintain access to the compromised cloud environment for future operations.
Impact: The ultimate objective is achieved, whether it be data theft, disruption of services, or financial gain.

Impact

Successful exploitation can lead to significant data breaches, disruption of critical business applications, and financial losses. With the increasing reliance on cloud infrastructure, the impact can extend across various sectors, affecting organizations of all sizes. The 266% surge in cloud intrusions in 2025 demonstrates the growing threat, potentially impacting millions of users and costing organizations significant resources to remediate and recover.

Recommendation

Deploy the “Detect Cloud Infrastructure Misconfiguration Leading to Potential Data Access” Sigma rule to identify overly permissive access to storage resources (rules).
Implement the “Detect Shadow AI Activity via LLM Usage” Sigma rule to detect unauthorized use of external large language models (LLMs) (rules).
Leverage CrowdStrike Falcon Cloud Security to correlate application-layer visibility with cloud infrastructure context for comprehensive risk analysis (overview).
Prioritize cloud risks based on adversary intelligence provided by CrowdStrike to focus on conditions targeted by threat actors like LABYRINTH CHOLLIMA and SCATTERED SPIDER (overview).

CrowdStrike CNAPP Adds Adversary-Informed Risk Prioritization

hello@craftedsignal.io — Sun, 29 Mar 2026 06:52:03 +0000

CrowdStrike has enhanced its Cloud Native Application Protection Platform (CNAPP) with new features designed to address the limitations of existing cloud risk assessment approaches. Current CNAPP solutions often lack visibility into the application layer, ignore adversary behavior when prioritizing risks, and struggle to connect risk detections to the configuration changes that introduced them. The updated Falcon Cloud Security aims to bridge these gaps by incorporating application context, adversary intelligence, and configuration change tracking. The goal is to help organizations focus on the risks that matter most, based on real-world threat actor tactics and the criticality of affected applications. According to the CrowdStrike 2026 Global Threat Report, cloud intrusions by state-nexus actors increased significantly, underscoring the need for enhanced cloud security measures.

Attack Chain

Initial Access: Exploit a misconfigured cloud service or application vulnerability to gain initial access to the cloud environment.
Privilege Escalation: Leverage overly permissive access controls or insecure configurations to escalate privileges within the cloud environment.
Lateral Movement: Move laterally across the cloud infrastructure, identifying and accessing critical applications and data stores.
Data Access: Access sensitive data stored within cloud storage resources or databases, such as customer PII.
AI Component Exploitation: Target AI-driven applications, potentially exploiting vulnerabilities in external large language models (LLMs) or unapproved AI model usage.
Data Exfiltration: Exfiltrate sensitive data to external locations, potentially using compromised AI components or insecure network configurations.

Impact

Successful exploitation of cloud misconfigurations can lead to data breaches, service disruptions, and financial losses. Compromised AI components may expose sensitive data to external AI services or result in unauthorized model usage. The enhanced CNAPP features aim to reduce the likelihood of such incidents by providing better visibility into application dependencies, prioritizing risks based on adversary behavior, and tracking configuration changes that introduce vulnerabilities. Given the observed increase in cloud intrusions, organizations that fail to address these risks face a heightened risk of compromise.

Recommendation

Leverage Falcon Cloud Security’s Application Explorer to gain visibility into application dependencies and identify infrastructure risks impacting critical applications (Application Explorer).
Prioritize remediation efforts based on the adversary intelligence provided by Falcon Cloud Security, focusing on risks aligned with known threat actor tactics and targeted industries (Adversary Intelligence for Cloud Risks). Specifically focus on the techniques employed by threat actors like LABYRINTH CHOLLIMA and SCATTERED SPIDER.
Enable Sysmon process creation logging to activate the rules below.
Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

CrowdStrike CNAPP Enhanced with Adversary-Informed Risk Prioritization

hello@craftedsignal.io — Sun, 29 Mar 2026 00:00:00 +0000

CrowdStrike has enhanced its Cloud Native Application Protection Platform (CNAPP) to provide adversary-informed risk prioritization. Current CNAPP solutions often fall short by focusing solely on infrastructure, ignoring specific adversary behaviors, and generating excessive alerts. This update to CrowdStrike Falcon Cloud Security addresses these gaps by providing visibility into business applications, correlating risks with known adversary tactics (such as those used by LABYRINTH CHOLLIMA and SCATTERED SPIDER), and providing real-time detection of configuration changes that introduce risk. The goal is to enable security teams to prioritize remediation efforts based on real-world threat actor behavior and focus on the most critical exposures. This proactive security approach allows organizations to anticipate and mitigate cloud breaches more effectively, rather than chasing theoretical risks.

Attack Chain

Initial Access: An attacker gains initial access to a cloud environment, potentially through compromised credentials or exploiting a misconfiguration.
Privilege Escalation: The attacker attempts to escalate privileges within the cloud environment, leveraging weaknesses in Identity and Access Management (IAM) policies or exploiting vulnerable services.
Lateral Movement: Once elevated, the attacker moves laterally across the cloud infrastructure, identifying and accessing sensitive data stores or critical applications.
Application Exploitation: The attacker exploits vulnerabilities in business applications running in the cloud environment, such as SQL injection flaws or remote code execution vulnerabilities.
Data Exfiltration: The attacker exfiltrates sensitive data from compromised applications and data stores, potentially using cloud storage services or establishing covert communication channels.
Persistence: The attacker establishes persistence within the cloud environment, ensuring continued access even if initial entry points are discovered and patched.
Impact: The attacker achieves their objective, such as data theft, financial gain, or disruption of critical services.

Impact

Successful exploitation of cloud vulnerabilities can lead to significant data breaches, financial losses, and reputational damage. In 2025, cloud intrusions by state-nexus actors increased by 266% year-over-year, underscoring the growing threat to cloud environments. The sectors most at risk include financial services, healthcare, and critical infrastructure. A successful attack can result in the theft of sensitive customer data, intellectual property, or trade secrets, leading to regulatory fines, legal liabilities, and loss of competitive advantage.

Recommendation

Implement the Sigma rule “Detect Cloud Account with Excessive Permissions” to identify overly permissive access controls within cloud environments, a common initial access and privilege escalation vector (logsource: cloudtrail, rule: Detect Cloud Account with Excessive Permissions).
Utilize the “Adversary Intelligence for Cloud Risks” capability in CrowdStrike Falcon Cloud Security to prioritize remediation efforts based on known adversary tactics, techniques, and procedures (TTPs), focusing on threat actors such as LABYRINTH CHOLLIMA and SCATTERED SPIDER.
Deploy the Sigma rule “Detect Data Exfiltration via Cloud Storage” to identify unauthorized data transfers to cloud storage services, a common tactic used by attackers to exfiltrate sensitive information (logsource: cloudtrail, rule: Detect Data Exfiltration via Cloud Storage).
Continuously monitor cloud configurations and audit logs for suspicious activity, such as unauthorized access attempts, privilege escalations, and lateral movement.

CrowdStrike CNAPP Enhanced with Adversary-Informed Risk Prioritization

hello@craftedsignal.io — Sat, 28 Mar 2026 14:46:06 +0000

CrowdStrike has advanced its Cloud-Native Application Protection Platform (CNAPP) to address limitations in current cloud security approaches. The enhancements include Application Explorer, which provides application-layer visibility alongside cloud infrastructure context, and adversary intelligence for cloud risks. These updates aim to help organizations understand how applications interact with infrastructure and prioritize risks based on threat actor behavior. Specifically, the CNAPP maps cloud risks to over 280 adversary groups tracked by CrowdStrike, such as LABYRINTH CHOLLIMA and SCATTERED SPIDER. This allows security teams to focus on exploitation chains known to be used against specific industries and organizational profiles, moving beyond theoretical risk assessments.

Attack Chain

Initial Compromise: An attacker gains initial access to a cloud environment through compromised credentials or exploitation of a vulnerability in a cloud service. (TA0001)
Privilege Escalation: The attacker attempts to elevate privileges within the cloud environment to gain access to more sensitive resources and data.
Lateral Movement: Using the compromised credentials or elevated privileges, the attacker moves laterally within the cloud environment to identify and access target applications and data stores.
Application Discovery: The attacker uses Application Explorer (if available) to map application dependencies, identify business-critical applications, and locate AI components (MCPs, LLMs) within the environment.
Data Exfiltration: The attacker identifies storage resources or data stores containing sensitive information (e.g., PII) and attempts to exfiltrate the data to an external location.
Shadow AI Exploitation: The attacker exploits shadow AI activity by identifying unapproved model usage and exposing sensitive data to external AI services.
Persistence: The attacker establishes persistence within the environment to maintain access and continue their activities even if initial access methods are remediated. (TA0003)

Impact

The impact of a successful attack can range from data breaches and financial losses to reputational damage and disruption of critical business operations. Specific consequences include the compromise of business-critical applications (e.g., payment processing, hospital ERP), exposure of sensitive data (e.g., PII), and the exploitation of AI-driven applications through shadow AI activity. In 2025, cloud-conscious intrusions by state-nexus threat actors surged 266% year-over-year, highlighting the increasing risk and potential impact of cloud-based attacks.

Recommendation

Leverage Falcon Cloud Security’s Application Explorer to gain visibility into application dependencies, identify business-critical applications, and map infrastructure risks affecting production applications.
Utilize the adversary intelligence feature within Falcon Cloud Security to prioritize cloud risks based on known adversary profiles and observed techniques, focusing on groups like LABYRINTH CHOLLIMA and SCATTERED SPIDER.
Deploy the Sigma rules below to detect suspicious activity related to common cloud attack patterns in your environment.
Review and harden overly permissive access controls on storage resources identified by CrowdStrike.

CrowdStrike Falcon Cloud Security CNAPP with Adversary-Informed Risk Prioritization

hello@craftedsignal.io — Sat, 28 Mar 2026 09:35:23 +0000

CrowdStrike has enhanced its Falcon Cloud Security CNAPP (Cloud-Native Application Protection Platform) with new features aimed at improving risk assessment and prioritization. These advancements address limitations in current CNAPP solutions, which often lack visibility into business applications, ignore adversary behavior, and result in endless triage. The new capabilities provide security teams with the context needed to understand cloud risk, prioritize remediation, and accelerate response times. The updates correlate infrastructure findings with business-critical applications and incorporate intelligence on adversary tactics, techniques, and procedures (TTPs) observed in documented intrusions, especially those from state-nexus threat actors which saw a 266% increase year-over-year in 2025.

Attack Chain

Initial Foothold: An attacker gains initial access to a cloud environment through misconfigurations or vulnerabilities in cloud infrastructure, such as overly permissive access to storage resources.
Privilege Escalation: Leveraging the initial access, the attacker attempts to escalate privileges within the cloud environment, potentially exploiting weak identity and access management (IAM) policies.
Application Discovery: The attacker identifies business applications running within the cloud environment and maps their dependencies, potentially using techniques to enumerate services and access data.
Data Access: The attacker accesses sensitive data stored within the cloud environment, such as customer personally identifiable information (PII), by exploiting vulnerabilities or misconfigurations in application or infrastructure layers.
Lateral Movement: The attacker moves laterally within the cloud environment, compromising additional systems and applications, potentially leveraging stolen credentials or exploiting trust relationships between services.
AI Application Compromise (if applicable): If the targeted organization uses AI-driven applications, the attacker attempts to compromise these applications, potentially gaining access to external large language models (LLMs) or exfiltrating sensitive data.
Data Exfiltration: The attacker exfiltrates sensitive data from the compromised cloud environment, potentially using techniques to bypass data loss prevention (DLP) controls or obfuscate the exfiltration traffic.
Impact: The attack results in data breach, financial loss, reputational damage, or disruption of critical business services.

Impact

Successful exploitation of cloud vulnerabilities and misconfigurations can lead to significant data breaches, potentially affecting millions of users. Organizations in various sectors, including financial services and healthcare, are at risk. The compromise of AI-driven applications can lead to exposure of sensitive data to external AI services and unauthorized access to large language models. The financial impact can range from direct losses due to theft to indirect costs associated with remediation, legal fees, and reputational damage.

Recommendation

Utilize Falcon Cloud Security’s Application Explorer to gain visibility into business applications running across cloud and on-premises environments and identify infrastructure risks affecting production applications.
Leverage Falcon Cloud Security’s adversary intelligence to prioritize cloud risks based on known adversary profiles and observed techniques, focusing on threat actors such as LABYRINTH CHOLLIMA and SCATTERED SPIDER.
Implement continuous code-level runtime analysis to build an application inventory, map dependencies, and identify application-layer risks as highlighted by the Falcon Cloud Security capabilities.
Monitor and audit overly permissive access to storage resources that can lead to data breaches.
Enhance cloud security posture by addressing IAM misconfigurations, which are often the entry point for initial access.

CrowdStrike Falcon Cloud Security Introduces Adversary-Informed Risk Prioritization

hello@craftedsignal.io — Sat, 28 Mar 2026 09:26:44 +0000

CrowdStrike Falcon Cloud Security has introduced new Cloud Native Application Protection Platform (CNAPP) capabilities focused on improving risk assessment and remediation in cloud environments. The updates address limitations such as lack of application layer visibility, ignoring adversary behavior, and difficulty in tracing the origin of exposures. Falcon Cloud Security now incorporates Application Explorer, providing application-layer visibility, and adversary intelligence, aligning risk prioritization with known threat actor behaviors (like LABYRINTH CHOLLIMA and SCATTERED SPIDER) and observed intrusion patterns. Additionally, it provides insights into the configuration changes leading to identified exposures. These enhancements aim to provide security teams with better context, enabling them to understand cloud risk, prioritize remediation efforts, and accelerate the transition from detection to action.

Attack Chain

Initial Compromise: An organization’s cloud infrastructure is misconfigured, creating an overly permissive access control to a storage resource containing customer PII.
Discovery: An adversary, potentially aligned with a group like LABYRINTH CHOLLIMA or SCATTERED SPIDER, identifies the misconfigured storage resource through reconnaissance activities.
Lateral Movement: The adversary uses the initial access to move laterally within the cloud environment, exploiting existing roles and permissions.
Privilege Escalation: The adversary elevates privileges to gain access to sensitive applications, exploiting vulnerabilities or misconfigurations.
Data Access: The attacker accesses applications connected to the storage resource, including business-critical applications processing payment information.
Data Exfiltration: The adversary exfiltrates sensitive customer PII from the storage resource, taking advantage of the permissive access controls.
Impact: The exfiltrated data is used for malicious purposes, such as identity theft or financial fraud, leading to financial and reputational damage for the targeted organization.

Impact

The enhanced CNAPP capabilities aim to reduce the likelihood and impact of cloud breaches. In 2025, cloud intrusions by state-nexus threat actors surged by 266%. Successfully exploiting cloud misconfigurations can lead to significant data breaches, financial losses, and reputational damage. Organizations across various sectors, especially financial services, are at risk. Failure to prioritize and remediate cloud risks can result in the compromise of business-critical applications and sensitive data, including personally identifiable information (PII).

Recommendation

Prioritize deployment of Falcon Cloud Security to gain application-layer visibility and identify infrastructure risks impacting critical applications as described in the Overview.
Utilize the adversary intelligence feature in Falcon Cloud Security to prioritize risk remediation based on known threat actor behavior, specifically focusing on groups like LABYRINTH CHOLLIMA and SCATTERED SPIDER as mentioned in the Overview.
Implement the following Sigma rule to detect anomalous access to cloud storage resources.
Enable and review cloud configuration logs to identify misconfigurations leading to overly permissive access controls, enabling faster remediation and prevention of future exposures, as described in the Attack Chain.

CrowdStrike Falcon Cloud Security CNAPP with Adversary-Informed Risk Prioritization

hello@craftedsignal.io — Sat, 28 Mar 2026 08:17:27 +0000

CrowdStrike has enhanced its Falcon Cloud Security with new Cloud-Native Application Protection Platform (CNAPP) capabilities designed to prioritize cloud risks based on adversary behavior. This update addresses critical gaps in current CNAPP solutions, including limited visibility into business applications, a lack of integration of adversary intelligence, and difficulties in tracing the root cause of exposures. The new features provide application-layer visibility, correlate risks with threat actor profiles and techniques, and help identify the configuration changes that introduced vulnerabilities. This enables security teams to focus on the attack paths most likely to be exploited by threat actors, such as LABYRINTH CHOLLIMA and SCATTERED SPIDER, and to more effectively prioritize remediation efforts within their cloud environments.

Attack Chain

Initial Compromise (Theoretical): An attacker gains initial access to the cloud environment, potentially exploiting a misconfiguration or vulnerability in a cloud service or application.
Reconnaissance: The attacker uses internal reconnaissance techniques to discover cloud resources, application dependencies, and potential attack paths within the cloud environment. This phase can be accelerated by exploiting overly permissive access controls on storage resources.
Privilege Escalation: The attacker attempts to elevate privileges within the cloud environment by exploiting weak IAM configurations, vulnerable services, or exposed credentials.
Lateral Movement: Using compromised credentials or exploiting service vulnerabilities, the attacker moves laterally to other cloud resources and applications within the environment. The attacker may target business-critical applications that process sensitive data.
Data Access: The attacker accesses sensitive data stored in cloud storage, databases, or other resources, potentially including customer PII.
Exfiltration (Theoretical): The attacker exfiltrates the stolen data from the cloud environment to an external location.
Impact (Theoretical): The successful attack results in data breaches, financial loss, reputational damage, and disruption of business operations.

Impact

The observed trend of increasing cloud breaches, including a 266% year-over-year surge in cloud-conscious intrusions by state-nexus threat actors in 2025, highlights the critical need for enhanced cloud security measures. Successful attacks can lead to data breaches, financial losses, reputational damage, and disruption of critical business operations, particularly targeting financial services. The Falcon Cloud Security CNAPP aims to reduce the risk of such incidents by providing better visibility, risk prioritization, and faster response times.

Recommendation

Deploy Falcon Cloud Security to gain visibility into application-layer risks and dependencies as described in the overview section.
Utilize the adversary intelligence features of Falcon Cloud Security to prioritize cloud risks based on known threat actor profiles and observed techniques, mapping risks to groups like LABYRINTH CHOLLIMA and SCATTERED SPIDER.
Investigate alerts generated by Falcon Cloud Security that indicate potential attack paths used by known threat actors, focusing on the industries they actively target, as mentioned in the threat brief.
Enable and review logs from your cloud infrastructure and application services to correlate with the Falcon Cloud Security findings and identify the configuration changes that introduced the exposures.

M-Trends 2026: Evolving Threat Landscape

hello@craftedsignal.io — Wed, 25 Mar 2026 10:45:30 +0000

The Mandiant M-Trends 2026 report analyzes over 500,000 hours of incident investigations, revealing significant shifts in the cyber threat landscape. Cybercriminal groups are optimizing for immediate impact and recovery denial, while cyber espionage groups and insider threats prioritize extreme persistence, leveraging unmonitored edge devices and native network functionalities to evade detection. Voice phishing has surged, replacing email as a primary initial access vector, particularly targeting SaaS environments. The time between initial access and the hand-off to secondary actors deploying ransomware has collapsed dramatically. Targeted industries include the high-tech sector (17%) and the financial sector (14.6%). Ransomware groups are now actively targeting backup infrastructure, identity services, and virtualization management planes to ensure recovery is impossible without paying a ransom. Espionage groups are exploiting zero-day vulnerabilities in edge devices for long-term persistence.

Attack Chain

Initial Access: Attackers use voice phishing (vishing) to target IT help desks, bypassing MFA and gaining initial access to SaaS environments. Malicious advertisements or the ClickFix social engineering technique are also used to gain a foothold.
Privilege Escalation: Exploitation of misconfigured Active Directory Certificate Services templates to create admin accounts that bypass password rotation.
Credential Access: Harvesting long-lived OAuth tokens and session cookies to bypass standard defenses. Stealing hard-coded keys and personal access tokens from compromised third-party SaaS vendors. Leveraging native packet-capturing functionality on network appliances to intercept sensitive data and plaintext credentials.
Lateral Movement: Using stolen credentials and tokens to pivot into downstream customer environments. Exploiting the “Tier-0” nature of hypervisors to bypass guest-level defenses.
Defense Evasion: Deploying custom, in-memory malware like BRICKSTORM directly onto network appliances to establish deep persistence that survives standard remediation efforts. Targeting edge and core network devices lacking EDR telemetry.
Impact: Encrypting hypervisor datastores to render all associated virtual machines inoperable simultaneously. Deleting backup objects from cloud storage.
Exfiltration: Large-scale data theft from SaaS environments.

Impact

M-Trends 2026 highlights that ransomware groups are actively destroying the ability to recover data, impacting organizations across more than 16 industry verticals. The high-tech and financial sectors are particularly targeted. The collapse of the hand-off window from hours to seconds means organizations have less time to respond to initial intrusions before ransomware is deployed. The increasing dwell time of threats like BRICKSTORM, reaching nearly 400 days, leaves organizations blind to the full scope of the intrusion due to standard log retention policies.

Recommendation

Deploy the Sigma rule for detecting PowerShell commands from uncommon locations to identify potential malicious activity related to post-compromise actions (reference: Sigma rule “Detect PowerShell from Uncommon Location”).
Implement network monitoring on edge devices and VPNs to detect unauthorized packet capturing and credential interception attempts (reference: overview section about edge devices).
Review and harden Active Directory Certificate Services configurations to prevent the exploitation of misconfigured templates (reference: attack chain step 2).
Monitor for modifications to cloud storage backup objects, especially deletion attempts, to detect ransomware groups attempting to destroy recovery capabilities (reference: attack chain step 6).
Increase log retention policies beyond 90 days to improve visibility into long-term persistent threats like BRICKSTORM (reference: Overview section).