{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cloud_security/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc","Scattered Spider","UNC3944","Octo Tempest","Roasted 0ktapus","Muddled Libra","Star Fraud"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cloud_security","cnapp","threat_intelligence"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eCrowdStrike has advanced its Cloud Native Application Protection Platform (CNAPP) by introducing new capabilities designed to provide security teams with improved context and prioritization for cloud risks. The enhanced CNAPP incorporates Application Explorer for application-layer visibility, allowing a unified view of applications running across cloud and on-premises environments. A key feature is the integration of adversary intelligence, which maps cloud risks to known threat actor profiles, such as LABYRINTH CHOLLIMA and SCATTERED SPIDER, enabling risk prioritization based on observed attacker behavior and targeted industries. These advancements aim to close security gaps and reduce breach risks, addressing the rise in cloud intrusions, which surged 266% year-over-year in 2025, as highlighted in the CrowdStrike 2026 Global Threat Report. The CNAPP enhancements also include runtime analysis to understand how applications interact with infrastructure, improving the ability to remediate issues effectively.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise (Cloud Misconfiguration):\u003c/strong\u003e An organization\u0026rsquo;s cloud environment contains misconfigured storage resources with overly permissive access. This is often a result of configuration drift or human error.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery (Application Inventory):\u003c/strong\u003e An attacker identifies the organization uses cloud-based infrastructure, and begins reconnaissance to determine publicly accessible services and data stores. They use publicly available cloud enumeration tools.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Exploit Weak IAM):\u003c/strong\u003e The attacker exploits weak Identity and Access Management (IAM) policies to gain access to a service account with broad permissions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Application Dependency Mapping):\u003c/strong\u003e The attacker identifies business-critical applications connected to the storage resource using application dependency mapping and runtime analysis.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access (PII Exposure):\u003c/strong\u003e The attacker accesses the compromised storage resource containing customer Personally Identifiable Information (PII) because the application processes sensitive data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration (Data Theft):\u003c/strong\u003e The attacker exfiltrates the sensitive data to an external controlled server, leveraging the compromised service account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact (Data Breach):\u003c/strong\u003e The organization experiences a data breach, resulting in financial losses, reputational damage, and regulatory fines due to the exposed PII.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of cloud misconfigurations and vulnerabilities can lead to significant data breaches, resulting in financial losses, reputational damage, and regulatory penalties. The 2026 Global Threat Report indicates a 266% surge in cloud intrusions by state-nexus threat actors in 2025, highlighting the increasing risk and potential for widespread impact across various sectors. Organizations operating in targeted industries, such as financial services (a known target of groups like LABYRINTH CHOLLIMA), face a higher likelihood of being compromised. The compromise of AI-driven applications can expose sensitive data to external AI services, further exacerbating the impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Cloud Account with Excessive Permissions\u0026rdquo; to identify accounts with overly permissive access as described in the attack chain (related to Initial Compromise).\u003c/li\u003e\n\u003cli\u003eLeverage CrowdStrike\u0026rsquo;s adversary intelligence to prioritize cloud risks associated with threat actors like LABYRINTH CHOLLIMA and SCATTERED SPIDER (Adversary Intelligence for Cloud Risks).\u003c/li\u003e\n\u003cli\u003eUtilize Application Explorer to gain visibility into application dependencies and identify business-critical applications connected to cloud resources to focus remediation efforts effectively (Application Explorer).\u003c/li\u003e\n\u003cli\u003eMonitor cloud environments for suspicious activity using cloud-native logging and alerting mechanisms to detect lateral movement and data exfiltration attempts (Attack Chain steps 3-6).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-29T07:29:13Z","date_published":"2026-03-29T07:29:13Z","id":"/briefs/2026-05-cnapp-adversary-risk/","summary":"CrowdStrike enhances its CNAPP capabilities by incorporating adversary intelligence for risk prioritization, application-layer visibility, and runtime analysis, addressing critical gaps in cloud security and enabling faster remediation based on threat actor behavior like LABYRINTH CHOLLIMA and SCATTERED SPIDER.","title":"CrowdStrike CNAPP Enhanced with Adversary-Informed Risk Prioritization","url":"https://feed.craftedsignal.io/briefs/2026-05-cnapp-adversary-risk/"}],"language":"en","title":"CraftedSignal Threat Feed — Cloud_security","version":"https://jsonfeed.org/version/1.1"}