{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/actors/roasted-0ktapus/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc","Scattered Spider","UNC3944","Octo Tempest","Roasted 0ktapus","Muddled Libra","Star Fraud"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cloud-security","cnapp","threat-intelligence"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCrowdStrike has enhanced its Falcon Cloud Security with new CNAPP (Cloud-Native Application Protection Platform) capabilities designed to provide more proactive and context-aware cloud security. These advancements address limitations in current CNAPP solutions, which often lack visibility into business applications, ignore adversary behavior, and result in endless triage due to a lack of causality information. The new features, including Application Explorer and adversary-informed risk prioritization, aim to provide security teams with the necessary context to understand cloud risks, prioritize remediation efforts, and quickly respond to potential breaches by threat actors, with a specific focus on groups like LABYRINTH CHOLLIMA and SCATTERED SPIDER who are known to target cloud environments. According to the CrowdStrike 2026 Global Threat Report, cloud-conscious intrusions by state-nexus threat actors surged 266% year-over-year in 2025, highlighting the need for improved cloud security measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e Adversaries gain initial access to the cloud environment through various means, such as exploiting misconfigurations or vulnerabilities in cloud services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e Threat actors perform reconnaissance to discover cloud resources, services, and applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Attackers move laterally within the cloud environment, leveraging compromised credentials or exploiting vulnerabilities to access additional resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e Adversaries escalate privileges to gain higher-level access to critical cloud resources and data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access:\u003c/strong\u003e Attackers access sensitive data stored in cloud storage resources, databases, or applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e The stolen data is exfiltrated from the cloud environment to an external location controlled by the attacker.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The exfiltration of sensitive data can lead to financial loss, reputational damage, and regulatory penalties for the victim organization.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful cloud breach can result in significant damage, including data theft, financial losses, and reputational harm. The enhanced CNAPP capabilities in CrowdStrike Falcon Cloud Security aim to mitigate these risks by providing organizations with better visibility into cloud assets, risk prioritization based on adversary behavior, and faster remediation capabilities. Specifically, organizations operating in sectors targeted by groups like LABYRINTH CHOLLIMA or SCATTERED SPIDER are at increased risk. In 2025, cloud intrusions increased dramatically, underscoring the urgent need for more effective cloud security measures.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Application Explorer to gain visibility into how business applications run across cloud and on-premises environments and identify application-layer risks.\u003c/li\u003e\n\u003cli\u003eUtilize the adversary intelligence feature in Falcon Cloud Security to prioritize cloud risks based on the tactics, techniques, and procedures (TTPs) of known threat actors like LABYRINTH CHOLLIMA and SCATTERED SPIDER.\u003c/li\u003e\n\u003cli\u003eMonitor for overly permissive access to storage resources that connect to applications processing customer personally identifiable information (PII) using a rule like the one below to detect potential data breaches.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule below to identify processes accessing cloud resources with unusual user agents, which can indicate unauthorized access attempts or exploitation activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T06:43:41Z","date_published":"2026-03-30T06:43:41Z","id":"/briefs/2026-03-cnapp-advancements/","summary":"CrowdStrike Falcon Cloud Security enhances its CNAPP capabilities, incorporating adversary intelligence to prioritize cloud risks based on threat actor behavior, particularly focusing on groups like LABYRINTH CHOLLIMA and SCATTERED SPIDER, to enable security teams to understand and remediate cloud exposures more effectively.","title":"CrowdStrike Falcon Cloud Security Advances CNAPP with Adversary-Informed Risk Prioritization","url":"https://feed.craftedsignal.io/briefs/2026-03-cnapp-advancements/"},{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc","Scattered Spider","UNC3944","Octo Tempest","Roasted 0ktapus","Muddled Libra","Star Fraud"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cloud_security","cnapp","threat_intelligence"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eCrowdStrike has advanced its Cloud Native Application Protection Platform (CNAPP) by introducing new capabilities designed to provide security teams with improved context and prioritization for cloud risks. The enhanced CNAPP incorporates Application Explorer for application-layer visibility, allowing a unified view of applications running across cloud and on-premises environments. A key feature is the integration of adversary intelligence, which maps cloud risks to known threat actor profiles, such as LABYRINTH CHOLLIMA and SCATTERED SPIDER, enabling risk prioritization based on observed attacker behavior and targeted industries. These advancements aim to close security gaps and reduce breach risks, addressing the rise in cloud intrusions, which surged 266% year-over-year in 2025, as highlighted in the CrowdStrike 2026 Global Threat Report. The CNAPP enhancements also include runtime analysis to understand how applications interact with infrastructure, improving the ability to remediate issues effectively.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise (Cloud Misconfiguration):\u003c/strong\u003e An organization\u0026rsquo;s cloud environment contains misconfigured storage resources with overly permissive access. This is often a result of configuration drift or human error.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery (Application Inventory):\u003c/strong\u003e An attacker identifies the organization uses cloud-based infrastructure, and begins reconnaissance to determine publicly accessible services and data stores. They use publicly available cloud enumeration tools.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Exploit Weak IAM):\u003c/strong\u003e The attacker exploits weak Identity and Access Management (IAM) policies to gain access to a service account with broad permissions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Application Dependency Mapping):\u003c/strong\u003e The attacker identifies business-critical applications connected to the storage resource using application dependency mapping and runtime analysis.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access (PII Exposure):\u003c/strong\u003e The attacker accesses the compromised storage resource containing customer Personally Identifiable Information (PII) because the application processes sensitive data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration (Data Theft):\u003c/strong\u003e The attacker exfiltrates the sensitive data to an external controlled server, leveraging the compromised service account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact (Data Breach):\u003c/strong\u003e The organization experiences a data breach, resulting in financial losses, reputational damage, and regulatory fines due to the exposed PII.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of cloud misconfigurations and vulnerabilities can lead to significant data breaches, resulting in financial losses, reputational damage, and regulatory penalties. The 2026 Global Threat Report indicates a 266% surge in cloud intrusions by state-nexus threat actors in 2025, highlighting the increasing risk and potential for widespread impact across various sectors. Organizations operating in targeted industries, such as financial services (a known target of groups like LABYRINTH CHOLLIMA), face a higher likelihood of being compromised. The compromise of AI-driven applications can expose sensitive data to external AI services, further exacerbating the impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Cloud Account with Excessive Permissions\u0026rdquo; to identify accounts with overly permissive access as described in the attack chain (related to Initial Compromise).\u003c/li\u003e\n\u003cli\u003eLeverage CrowdStrike\u0026rsquo;s adversary intelligence to prioritize cloud risks associated with threat actors like LABYRINTH CHOLLIMA and SCATTERED SPIDER (Adversary Intelligence for Cloud Risks).\u003c/li\u003e\n\u003cli\u003eUtilize Application Explorer to gain visibility into application dependencies and identify business-critical applications connected to cloud resources to focus remediation efforts effectively (Application Explorer).\u003c/li\u003e\n\u003cli\u003eMonitor cloud environments for suspicious activity using cloud-native logging and alerting mechanisms to detect lateral movement and data exfiltration attempts (Attack Chain steps 3-6).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-29T07:29:13Z","date_published":"2026-03-29T07:29:13Z","id":"/briefs/2026-05-cnapp-adversary-risk/","summary":"CrowdStrike enhances its CNAPP capabilities by incorporating adversary intelligence for risk prioritization, application-layer visibility, and runtime analysis, addressing critical gaps in cloud security and enabling faster remediation based on threat actor behavior like LABYRINTH CHOLLIMA and SCATTERED SPIDER.","title":"CrowdStrike CNAPP Enhanced with Adversary-Informed Risk Prioritization","url":"https://feed.craftedsignal.io/briefs/2026-05-cnapp-adversary-risk/"},{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc","Scattered Spider","UNC3944","Octo Tempest","Roasted 0ktapus","Muddled Libra","Star Fraud"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cloud-security","cnapp","threat-intelligence"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eCrowdStrike has enhanced its Cloud Native Application Protection Platform (CNAPP) to prioritize cloud risks based on real-world adversary behavior, addressing limitations in traditional CNAPP solutions. These improvements correlate application-layer visibility with cloud infrastructure context, enabling security teams to understand how applications interact with services, access data, use credentials, and integrate AI components. Falcon Cloud Security maps cloud risks to known adversary profiles and observed techniques, allowing security teams to focus on conditions attackers target in documented intrusions. With threat intelligence from over 280 adversary groups, including LABYRINTH CHOLLIMA and SCATTERED SPIDER, organizations can better prepare their defenses against evolving cloud threats. This advancement aims to reduce alert fatigue and enable more effective remediation by aligning security efforts with actual adversary tactics. The enhancements were announced on March 24, 2026, and are designed to address the increasing number of cloud-conscious intrusions, which surged 266% year-over-year in 2025, as highlighted in the CrowdStrike 2026 Global Threat Report.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e Adversaries exploit misconfigurations or vulnerabilities in cloud infrastructure or applications to gain initial access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e Using tools and techniques, the adversary performs reconnaissance to map out cloud assets, services, and dependencies, identifying potential targets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker leverages compromised credentials or exploits vulnerabilities to elevate privileges within the cloud environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e With elevated privileges, the adversary moves laterally across different cloud services and applications to access sensitive data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access:\u003c/strong\u003e The threat actor accesses business-critical applications, customer PII, or AI components to exfiltrate data or cause disruption.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e Sensitive data is exfiltrated from the cloud environment to an external location controlled by the adversary.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e Adversaries establish persistence mechanisms to maintain access to the compromised cloud environment for future operations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The ultimate objective is achieved, whether it be data theft, disruption of services, or financial gain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to significant data breaches, disruption of critical business applications, and financial losses. With the increasing reliance on cloud infrastructure, the impact can extend across various sectors, affecting organizations of all sizes. The 266% surge in cloud intrusions in 2025 demonstrates the growing threat, potentially impacting millions of users and costing organizations significant resources to remediate and recover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Cloud Infrastructure Misconfiguration Leading to Potential Data Access\u0026rdquo; Sigma rule to identify overly permissive access to storage resources (rules).\u003c/li\u003e\n\u003cli\u003eImplement the \u0026ldquo;Detect Shadow AI Activity via LLM Usage\u0026rdquo; Sigma rule to detect unauthorized use of external large language models (LLMs) (rules).\u003c/li\u003e\n\u003cli\u003eLeverage CrowdStrike Falcon Cloud Security to correlate application-layer visibility with cloud infrastructure context for comprehensive risk analysis (overview).\u003c/li\u003e\n\u003cli\u003ePrioritize cloud risks based on adversary intelligence provided by CrowdStrike to focus on conditions targeted by threat actors like LABYRINTH CHOLLIMA and SCATTERED SPIDER (overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-29T07:19:13Z","date_published":"2026-03-29T07:19:13Z","id":"/briefs/2026-03-cnapp-adversary-prioritization/","summary":"CrowdStrike's CNAPP enhancements prioritize cloud risk based on adversary behavior, correlating application insights with cloud infrastructure telemetry to identify and address critical exposures targeted by specific threat actors like LABYRINTH CHOLLIMA and SCATTERED SPIDER.","title":"CrowdStrike CNAPP Enhancements Prioritize Risk Based on Adversary Behavior","url":"https://feed.craftedsignal.io/briefs/2026-03-cnapp-adversary-prioritization/"},{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc","Scattered Spider","UNC3944","Octo Tempest","Roasted 0ktapus","Muddled Libra","Star Fraud"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cnapp","cloud-security","risk-prioritization"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCrowdStrike has enhanced its Cloud Native Application Protection Platform (CNAPP) with new features designed to address the limitations of existing cloud risk assessment approaches. Current CNAPP solutions often lack visibility into the application layer, ignore adversary behavior when prioritizing risks, and struggle to connect risk detections to the configuration changes that introduced them. The updated Falcon Cloud Security aims to bridge these gaps by incorporating application context, adversary intelligence, and configuration change tracking. The goal is to help organizations focus on the risks that matter most, based on real-world threat actor tactics and the criticality of affected applications. According to the CrowdStrike 2026 Global Threat Report, cloud intrusions by state-nexus actors increased significantly, underscoring the need for enhanced cloud security measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: Exploit a misconfigured cloud service or application vulnerability to gain initial access to the cloud environment.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: Leverage overly permissive access controls or insecure configurations to escalate privileges within the cloud environment.\u003c/li\u003e\n\u003cli\u003eLateral Movement: Move laterally across the cloud infrastructure, identifying and accessing critical applications and data stores.\u003c/li\u003e\n\u003cli\u003eData Access: Access sensitive data stored within cloud storage resources or databases, such as customer PII.\u003c/li\u003e\n\u003cli\u003eAI Component Exploitation: Target AI-driven applications, potentially exploiting vulnerabilities in external large language models (LLMs) or unapproved AI model usage.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: Exfiltrate sensitive data to external locations, potentially using compromised AI components or insecure network configurations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of cloud misconfigurations can lead to data breaches, service disruptions, and financial losses. Compromised AI components may expose sensitive data to external AI services or result in unauthorized model usage. The enhanced CNAPP features aim to reduce the likelihood of such incidents by providing better visibility into application dependencies, prioritizing risks based on adversary behavior, and tracking configuration changes that introduce vulnerabilities. Given the observed increase in cloud intrusions, organizations that fail to address these risks face a heightened risk of compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eLeverage Falcon Cloud Security\u0026rsquo;s Application Explorer to gain visibility into application dependencies and identify infrastructure risks impacting critical applications (Application Explorer).\u003c/li\u003e\n\u003cli\u003ePrioritize remediation efforts based on the adversary intelligence provided by Falcon Cloud Security, focusing on risks aligned with known threat actor tactics and targeted industries (Adversary Intelligence for Cloud Risks). Specifically focus on the techniques employed by threat actors like LABYRINTH CHOLLIMA and SCATTERED SPIDER.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to activate the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-29T06:52:03Z","date_published":"2026-03-29T06:52:03Z","id":"/briefs/2026-04-cnapp-risk-prioritization/","summary":"CrowdStrike's CNAPP enhancements prioritize cloud risks based on adversary behavior, application context, and configuration change tracking to reduce breach likelihood.","title":"CrowdStrike CNAPP Adds Adversary-Informed Risk Prioritization","url":"https://feed.craftedsignal.io/briefs/2026-04-cnapp-risk-prioritization/"},{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc","Scattered Spider","UNC3944","Octo Tempest","Roasted 0ktapus","Muddled Libra","Star Fraud"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cloud-security","cnapp","risk-prioritization"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCrowdStrike has enhanced its Cloud Native Application Protection Platform (CNAPP) to provide adversary-informed risk prioritization. Current CNAPP solutions often fall short by focusing solely on infrastructure, ignoring specific adversary behaviors, and generating excessive alerts. This update to CrowdStrike Falcon Cloud Security addresses these gaps by providing visibility into business applications, correlating risks with known adversary tactics (such as those used by LABYRINTH CHOLLIMA and SCATTERED SPIDER), and providing real-time detection of configuration changes that introduce risk. The goal is to enable security teams to prioritize remediation efforts based on real-world threat actor behavior and focus on the most critical exposures. This proactive security approach allows organizations to anticipate and mitigate cloud breaches more effectively, rather than chasing theoretical risks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a cloud environment, potentially through compromised credentials or exploiting a misconfiguration.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker attempts to escalate privileges within the cloud environment, leveraging weaknesses in Identity and Access Management (IAM) policies or exploiting vulnerable services.\u003c/li\u003e\n\u003cli\u003eLateral Movement: Once elevated, the attacker moves laterally across the cloud infrastructure, identifying and accessing sensitive data stores or critical applications.\u003c/li\u003e\n\u003cli\u003eApplication Exploitation: The attacker exploits vulnerabilities in business applications running in the cloud environment, such as SQL injection flaws or remote code execution vulnerabilities.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: The attacker exfiltrates sensitive data from compromised applications and data stores, potentially using cloud storage services or establishing covert communication channels.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence within the cloud environment, ensuring continued access even if initial entry points are discovered and patched.\u003c/li\u003e\n\u003cli\u003eImpact: The attacker achieves their objective, such as data theft, financial gain, or disruption of critical services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of cloud vulnerabilities can lead to significant data breaches, financial losses, and reputational damage. In 2025, cloud intrusions by state-nexus actors increased by 266% year-over-year, underscoring the growing threat to cloud environments. The sectors most at risk include financial services, healthcare, and critical infrastructure. A successful attack can result in the theft of sensitive customer data, intellectual property, or trade secrets, leading to regulatory fines, legal liabilities, and loss of competitive advantage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Cloud Account with Excessive Permissions\u0026rdquo; to identify overly permissive access controls within cloud environments, a common initial access and privilege escalation vector (logsource: cloudtrail, rule: Detect Cloud Account with Excessive Permissions).\u003c/li\u003e\n\u003cli\u003eUtilize the \u0026ldquo;Adversary Intelligence for Cloud Risks\u0026rdquo; capability in CrowdStrike Falcon Cloud Security to prioritize remediation efforts based on known adversary tactics, techniques, and procedures (TTPs), focusing on threat actors such as LABYRINTH CHOLLIMA and SCATTERED SPIDER.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Data Exfiltration via Cloud Storage\u0026rdquo; to identify unauthorized data transfers to cloud storage services, a common tactic used by attackers to exfiltrate sensitive information (logsource: cloudtrail, rule: Detect Data Exfiltration via Cloud Storage).\u003c/li\u003e\n\u003cli\u003eContinuously monitor cloud configurations and audit logs for suspicious activity, such as unauthorized access attempts, privilege escalations, and lateral movement.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-29T00:00:00Z","date_published":"2026-03-29T00:00:00Z","id":"/briefs/2026-03-cnapp-adversary-informed-risk/","summary":"CrowdStrike enhances its CNAPP capabilities by incorporating adversary intelligence for improved risk prioritization, addressing limitations in infrastructure visibility, threat actor behavior analysis, and alert triage.","title":"CrowdStrike CNAPP Enhanced with Adversary-Informed Risk Prioritization","url":"https://feed.craftedsignal.io/briefs/2026-03-cnapp-adversary-informed-risk/"},{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc","Scattered Spider","UNC3944","Octo Tempest","Roasted 0ktapus","Muddled Libra","Star Fraud"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cloud-security","cnapp","threat-intelligence","risk-prioritization"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCrowdStrike has advanced its Cloud-Native Application Protection Platform (CNAPP) to address limitations in current cloud security approaches. The enhancements include Application Explorer, which provides application-layer visibility alongside cloud infrastructure context, and adversary intelligence for cloud risks. These updates aim to help organizations understand how applications interact with infrastructure and prioritize risks based on threat actor behavior. Specifically, the CNAPP maps cloud risks to over 280 adversary groups tracked by CrowdStrike, such as LABYRINTH CHOLLIMA and SCATTERED SPIDER. This allows security teams to focus on exploitation chains known to be used against specific industries and organizational profiles, moving beyond theoretical risk assessments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e An attacker gains initial access to a cloud environment through compromised credentials or exploitation of a vulnerability in a cloud service. (TA0001)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker attempts to elevate privileges within the cloud environment to gain access to more sensitive resources and data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Using the compromised credentials or elevated privileges, the attacker moves laterally within the cloud environment to identify and access target applications and data stores.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Discovery:\u003c/strong\u003e The attacker uses Application Explorer (if available) to map application dependencies, identify business-critical applications, and locate AI components (MCPs, LLMs) within the environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker identifies storage resources or data stores containing sensitive information (e.g., PII) and attempts to exfiltrate the data to an external location.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eShadow AI Exploitation:\u003c/strong\u003e The attacker exploits shadow AI activity by identifying unapproved model usage and exposing sensitive data to external AI services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence within the environment to maintain access and continue their activities even if initial access methods are remediated. (TA0003)\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of a successful attack can range from data breaches and financial losses to reputational damage and disruption of critical business operations. Specific consequences include the compromise of business-critical applications (e.g., payment processing, hospital ERP), exposure of sensitive data (e.g., PII), and the exploitation of AI-driven applications through shadow AI activity. In 2025, cloud-conscious intrusions by state-nexus threat actors surged 266% year-over-year, highlighting the increasing risk and potential impact of cloud-based attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eLeverage Falcon Cloud Security\u0026rsquo;s Application Explorer to gain visibility into application dependencies, identify business-critical applications, and map infrastructure risks affecting production applications.\u003c/li\u003e\n\u003cli\u003eUtilize the adversary intelligence feature within Falcon Cloud Security to prioritize cloud risks based on known adversary profiles and observed techniques, focusing on groups like LABYRINTH CHOLLIMA and SCATTERED SPIDER.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules below to detect suspicious activity related to common cloud attack patterns in your environment.\u003c/li\u003e\n\u003cli\u003eReview and harden overly permissive access controls on storage resources identified by CrowdStrike.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T14:46:06Z","date_published":"2026-03-28T14:46:06Z","id":"/briefs/2026-03-cnapp-advances/","summary":"CrowdStrike has enhanced its CNAPP capabilities by adding application-layer visibility and prioritizing risks based on known adversary tactics, techniques, and procedures (TTPs).","title":"CrowdStrike CNAPP Enhanced with Adversary-Informed Risk Prioritization","url":"https://feed.craftedsignal.io/briefs/2026-03-cnapp-advances/"},{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc","Scattered Spider","UNC3944","Octo Tempest","Roasted 0ktapus","Muddled Libra","Star Fraud"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cloud-security","cnaap","risk-prioritization"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCrowdStrike has enhanced its Falcon Cloud Security CNAPP (Cloud-Native Application Protection Platform) with new features aimed at improving risk assessment and prioritization. These advancements address limitations in current CNAPP solutions, which often lack visibility into business applications, ignore adversary behavior, and result in endless triage. The new capabilities provide security teams with the context needed to understand cloud risk, prioritize remediation, and accelerate response times. The updates correlate infrastructure findings with business-critical applications and incorporate intelligence on adversary tactics, techniques, and procedures (TTPs) observed in documented intrusions, especially those from state-nexus threat actors which saw a 266% increase year-over-year in 2025.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Foothold:\u003c/strong\u003e An attacker gains initial access to a cloud environment through misconfigurations or vulnerabilities in cloud infrastructure, such as overly permissive access to storage resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e Leveraging the initial access, the attacker attempts to escalate privileges within the cloud environment, potentially exploiting weak identity and access management (IAM) policies.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Discovery:\u003c/strong\u003e The attacker identifies business applications running within the cloud environment and maps their dependencies, potentially using techniques to enumerate services and access data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access:\u003c/strong\u003e The attacker accesses sensitive data stored within the cloud environment, such as customer personally identifiable information (PII), by exploiting vulnerabilities or misconfigurations in application or infrastructure layers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker moves laterally within the cloud environment, compromising additional systems and applications, potentially leveraging stolen credentials or exploiting trust relationships between services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAI Application Compromise (if applicable):\u003c/strong\u003e If the targeted organization uses AI-driven applications, the attacker attempts to compromise these applications, potentially gaining access to external large language models (LLMs) or exfiltrating sensitive data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker exfiltrates sensitive data from the compromised cloud environment, potentially using techniques to bypass data loss prevention (DLP) controls or obfuscate the exfiltration traffic.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attack results in data breach, financial loss, reputational damage, or disruption of critical business services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of cloud vulnerabilities and misconfigurations can lead to significant data breaches, potentially affecting millions of users. Organizations in various sectors, including financial services and healthcare, are at risk. The compromise of AI-driven applications can lead to exposure of sensitive data to external AI services and unauthorized access to large language models. The financial impact can range from direct losses due to theft to indirect costs associated with remediation, legal fees, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUtilize Falcon Cloud Security\u0026rsquo;s Application Explorer to gain visibility into business applications running across cloud and on-premises environments and identify infrastructure risks affecting production applications.\u003c/li\u003e\n\u003cli\u003eLeverage Falcon Cloud Security\u0026rsquo;s adversary intelligence to prioritize cloud risks based on known adversary profiles and observed techniques, focusing on threat actors such as LABYRINTH CHOLLIMA and SCATTERED SPIDER.\u003c/li\u003e\n\u003cli\u003eImplement continuous code-level runtime analysis to build an application inventory, map dependencies, and identify application-layer risks as highlighted by the Falcon Cloud Security capabilities.\u003c/li\u003e\n\u003cli\u003eMonitor and audit overly permissive access to storage resources that can lead to data breaches.\u003c/li\u003e\n\u003cli\u003eEnhance cloud security posture by addressing IAM misconfigurations, which are often the entry point for initial access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T09:35:23Z","date_published":"2026-03-28T09:35:23Z","id":"/briefs/2026-03-cnapp-adversary-risk/","summary":"CrowdStrike Falcon Cloud Security enhances CNAPP capabilities with application-layer visibility and adversary-informed risk prioritization, enabling security teams to focus on attacker-aligned risks and known threat actors.","title":"CrowdStrike Falcon Cloud Security CNAPP with Adversary-Informed Risk Prioritization","url":"https://feed.craftedsignal.io/briefs/2026-03-cnapp-adversary-risk/"},{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc","Scattered Spider","UNC3944","Octo Tempest","Roasted 0ktapus","Muddled Libra","Star Fraud"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cloud","cnapp","risk-prioritization"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCrowdStrike Falcon Cloud Security has introduced new Cloud Native Application Protection Platform (CNAPP) capabilities focused on improving risk assessment and remediation in cloud environments. The updates address limitations such as lack of application layer visibility, ignoring adversary behavior, and difficulty in tracing the origin of exposures. Falcon Cloud Security now incorporates Application Explorer, providing application-layer visibility, and adversary intelligence, aligning risk prioritization with known threat actor behaviors (like LABYRINTH CHOLLIMA and SCATTERED SPIDER) and observed intrusion patterns. Additionally, it provides insights into the configuration changes leading to identified exposures. These enhancements aim to provide security teams with better context, enabling them to understand cloud risk, prioritize remediation efforts, and accelerate the transition from detection to action.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e An organization\u0026rsquo;s cloud infrastructure is misconfigured, creating an overly permissive access control to a storage resource containing customer PII.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e An adversary, potentially aligned with a group like LABYRINTH CHOLLIMA or SCATTERED SPIDER, identifies the misconfigured storage resource through reconnaissance activities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The adversary uses the initial access to move laterally within the cloud environment, exploiting existing roles and permissions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The adversary elevates privileges to gain access to sensitive applications, exploiting vulnerabilities or misconfigurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access:\u003c/strong\u003e The attacker accesses applications connected to the storage resource, including business-critical applications processing payment information.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The adversary exfiltrates sensitive customer PII from the storage resource, taking advantage of the permissive access controls.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The exfiltrated data is used for malicious purposes, such as identity theft or financial fraud, leading to financial and reputational damage for the targeted organization.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe enhanced CNAPP capabilities aim to reduce the likelihood and impact of cloud breaches. In 2025, cloud intrusions by state-nexus threat actors surged by 266%. Successfully exploiting cloud misconfigurations can lead to significant data breaches, financial losses, and reputational damage. Organizations across various sectors, especially financial services, are at risk. Failure to prioritize and remediate cloud risks can result in the compromise of business-critical applications and sensitive data, including personally identifiable information (PII).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize deployment of Falcon Cloud Security to gain application-layer visibility and identify infrastructure risks impacting critical applications as described in the \u003cstrong\u003eOverview\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eUtilize the adversary intelligence feature in Falcon Cloud Security to prioritize risk remediation based on known threat actor behavior, specifically focusing on groups like \u003cstrong\u003eLABYRINTH CHOLLIMA and SCATTERED SPIDER\u003c/strong\u003e as mentioned in the \u003cstrong\u003eOverview\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eImplement the following Sigma rule to detect anomalous access to cloud storage resources.\u003c/li\u003e\n\u003cli\u003eEnable and review cloud configuration logs to identify misconfigurations leading to overly permissive access controls, enabling faster remediation and prevention of future exposures, as described in the \u003cstrong\u003eAttack Chain\u003c/strong\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T09:26:44Z","date_published":"2026-03-28T09:26:44Z","id":"/briefs/2026-03-cnapp-risk-prioritization/","summary":"CrowdStrike's Falcon Cloud Security enhances CNAPP capabilities by introducing adversary-informed risk prioritization, application layer visibility, and root cause analysis of configuration changes, enabling security teams to better understand and remediate cloud risks.","title":"CrowdStrike Falcon Cloud Security Introduces Adversary-Informed Risk Prioritization","url":"https://feed.craftedsignal.io/briefs/2026-03-cnapp-risk-prioritization/"},{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc","Scattered Spider","UNC3944","Octo Tempest","Roasted 0ktapus","Muddled Libra","Star Fraud"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cloud-security","cnapp","threat-intelligence","risk-prioritization"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCrowdStrike has enhanced its Falcon Cloud Security with new Cloud-Native Application Protection Platform (CNAPP) capabilities designed to prioritize cloud risks based on adversary behavior. This update addresses critical gaps in current CNAPP solutions, including limited visibility into business applications, a lack of integration of adversary intelligence, and difficulties in tracing the root cause of exposures. The new features provide application-layer visibility, correlate risks with threat actor profiles and techniques, and help identify the configuration changes that introduced vulnerabilities. This enables security teams to focus on the attack paths most likely to be exploited by threat actors, such as LABYRINTH CHOLLIMA and SCATTERED SPIDER, and to more effectively prioritize remediation efforts within their cloud environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise (Theoretical):\u003c/strong\u003e An attacker gains initial access to the cloud environment, potentially exploiting a misconfiguration or vulnerability in a cloud service or application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker uses internal reconnaissance techniques to discover cloud resources, application dependencies, and potential attack paths within the cloud environment. This phase can be accelerated by exploiting overly permissive access controls on storage resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker attempts to elevate privileges within the cloud environment by exploiting weak IAM configurations, vulnerable services, or exposed credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Using compromised credentials or exploiting service vulnerabilities, the attacker moves laterally to other cloud resources and applications within the environment. The attacker may target business-critical applications that process sensitive data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access:\u003c/strong\u003e The attacker accesses sensitive data stored in cloud storage, databases, or other resources, potentially including customer PII.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration (Theoretical):\u003c/strong\u003e The attacker exfiltrates the stolen data from the cloud environment to an external location.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact (Theoretical):\u003c/strong\u003e The successful attack results in data breaches, financial loss, reputational damage, and disruption of business operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe observed trend of increasing cloud breaches, including a 266% year-over-year surge in cloud-conscious intrusions by state-nexus threat actors in 2025, highlights the critical need for enhanced cloud security measures. Successful attacks can lead to data breaches, financial losses, reputational damage, and disruption of critical business operations, particularly targeting financial services. The Falcon Cloud Security CNAPP aims to reduce the risk of such incidents by providing better visibility, risk prioritization, and faster response times.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy Falcon Cloud Security to gain visibility into application-layer risks and dependencies as described in the overview section.\u003c/li\u003e\n\u003cli\u003eUtilize the adversary intelligence features of Falcon Cloud Security to prioritize cloud risks based on known threat actor profiles and observed techniques, mapping risks to groups like LABYRINTH CHOLLIMA and SCATTERED SPIDER.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by Falcon Cloud Security that indicate potential attack paths used by known threat actors, focusing on the industries they actively target, as mentioned in the threat brief.\u003c/li\u003e\n\u003cli\u003eEnable and review logs from your cloud infrastructure and application services to correlate with the Falcon Cloud Security findings and identify the configuration changes that introduced the exposures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T08:17:27Z","date_published":"2026-03-28T08:17:27Z","id":"/briefs/2026-03-crowdstrike-cnapp/","summary":"CrowdStrike's new CNAPP capabilities in Falcon Cloud Security focus on adversary-informed risk prioritization by correlating application-layer visibility with threat actor profiles and techniques, enabling security teams to understand cloud risk, prioritize remediation, and accelerate response.","title":"CrowdStrike Falcon Cloud Security CNAPP with Adversary-Informed Risk Prioritization","url":"https://feed.craftedsignal.io/briefs/2026-03-crowdstrike-cnapp/"},{"_cs_actors":["Scattered Spider","UNC3944","Octo Tempest","Roasted 0ktapus","Muddled Libra","Star Fraud","UNC6201","Salt Typhoon","GhostEmperor","FamousSparrow","UNC5807"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["threat-report","ransomware","phishing","saas"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThe Mandiant M-Trends 2026 report analyzes over 500,000 hours of incident investigations, revealing significant shifts in the cyber threat landscape. Cybercriminal groups are optimizing for immediate impact and recovery denial, while cyber espionage groups and insider threats prioritize extreme persistence, leveraging unmonitored edge devices and native network functionalities to evade detection. Voice phishing has surged, replacing email as a primary initial access vector, particularly targeting SaaS environments. The time between initial access and the hand-off to secondary actors deploying ransomware has collapsed dramatically. Targeted industries include the high-tech sector (17%) and the financial sector (14.6%). Ransomware groups are now actively targeting backup infrastructure, identity services, and virtualization management planes to ensure recovery is impossible without paying a ransom. Espionage groups are exploiting zero-day vulnerabilities in edge devices for long-term persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e Attackers use voice phishing (vishing) to target IT help desks, bypassing MFA and gaining initial access to SaaS environments. Malicious advertisements or the ClickFix social engineering technique are also used to gain a foothold.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e Exploitation of misconfigured Active Directory Certificate Services templates to create admin accounts that bypass password rotation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e Harvesting long-lived OAuth tokens and session cookies to bypass standard defenses. Stealing hard-coded keys and personal access tokens from compromised third-party SaaS vendors. Leveraging native packet-capturing functionality on network appliances to intercept sensitive data and plaintext credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Using stolen credentials and tokens to pivot into downstream customer environments. Exploiting the \u0026ldquo;Tier-0\u0026rdquo; nature of hypervisors to bypass guest-level defenses.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e Deploying custom, in-memory malware like BRICKSTORM directly onto network appliances to establish deep persistence that survives standard remediation efforts. Targeting edge and core network devices lacking EDR telemetry.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e Encrypting hypervisor datastores to render all associated virtual machines inoperable simultaneously. Deleting backup objects from cloud storage.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e Large-scale data theft from SaaS environments.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eM-Trends 2026 highlights that ransomware groups are actively destroying the ability to recover data, impacting organizations across more than 16 industry verticals. The high-tech and financial sectors are particularly targeted. The collapse of the hand-off window from hours to seconds means organizations have less time to respond to initial intrusions before ransomware is deployed. The increasing dwell time of threats like BRICKSTORM, reaching nearly 400 days, leaves organizations blind to the full scope of the intrusion due to standard log retention policies.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule for detecting PowerShell commands from uncommon locations to identify potential malicious activity related to post-compromise actions (reference: Sigma rule \u0026ldquo;Detect PowerShell from Uncommon Location\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring on edge devices and VPNs to detect unauthorized packet capturing and credential interception attempts (reference: overview section about edge devices).\u003c/li\u003e\n\u003cli\u003eReview and harden Active Directory Certificate Services configurations to prevent the exploitation of misconfigured templates (reference: attack chain step 2).\u003c/li\u003e\n\u003cli\u003eMonitor for modifications to cloud storage backup objects, especially deletion attempts, to detect ransomware groups attempting to destroy recovery capabilities (reference: attack chain step 6).\u003c/li\u003e\n\u003cli\u003eIncrease log retention policies beyond 90 days to improve visibility into long-term persistent threats like BRICKSTORM (reference: Overview section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T10:45:30Z","date_published":"2026-03-25T10:45:30Z","id":"/briefs/2026-06-mtrends-2026/","summary":"The M-Trends 2026 report highlights the increasing sophistication of threat actors, including voice phishing attacks targeting SaaS environments, ransomware groups actively destroying recovery capabilities, and espionage groups exploiting edge devices for persistent access, revealing a shift towards faster hand-offs between initial access brokers and ransomware deployers.","title":"M-Trends 2026: Evolving Threat Landscape","url":"https://feed.craftedsignal.io/briefs/2026-06-mtrends-2026/"}],"language":"en","title":"CraftedSignal Threat Feed — Roasted 0ktapus","version":"https://jsonfeed.org/version/1.1"}