Like a hurricane kicking off as a gentle breeze in the middle of the Atlantic, most cloud breaches start very small. All it takes is a bad actor stealing an identity or taking over a compromised endpoint such as a laptop, and suddenly an organization’s most valuable assets—often kept in a public or private cloud—are in danger.
Even worse, cloud intrusions increased by 136% during the first half of 2025 compared to all of 2024, according to CrowdStrike’s 2025 threat-hunting report. The cybersecurity organization attributed this to more threat actors understanding how to exploit cloud environments.
Cameron Sipes, the director of cloud security product marketing at SentinelOne, also pins the skyrocketing rate of intrusions on rising cloud adoption and the use of AI in cyberattacks.
“AI has rapidly expanded the attack service, very similar to what cloud did,” Sipes said. “It just introduced new surfaces that we haven’t had to think about before, and not only new surfaces but actually multiple layers.”
Crowdstrike’s senior vice president of counter adversary operations (CAO), Adam Meyers, said during a virtual media roundtable surrounding the release of Crowdstrike’s threat-hunting report that the significant increase in cloud intrusions was accompanied by adversaries deploying other innovative strategies such as operational relay box (ORB) networks to avoid detection while harvesting credentials.
“The cloud is an ideal target, it is huge, it has vast amounts of data,” Meyers said. “Oftentimes there’s misconfigurations within that cloud infrastructure which make it such an attractive target.”
Cloudy with a chance of AI. Sipes predicted that cloud adoption could increase next year as even more organizations shift from on-premises databases to private and public clouds. With so much “crown jewel data,” the cloud is an attractive target.
“I joke that it feels like there’s a trend in our culture, in general, everything old is new again—old- fashioned is cool again,” Sipes said. “Apparently old bad guy tools are new again.”
The rise of AI, including LLMs, has provided attackers with a way to supercharge yesteryear’s cyberattack tools. Infostealers, or malware that quietly collects sensitive information from a device and sends it back to the bad actors, has returned as Predator AI, a cloud-based info stealer that uses ChatGPT to summarize and enrich information faster and more efficiently.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Typosquatting, the practice of registering an intentionally misspelled domain name so it is just slightly different than a common URL, then using that domain for malware, has also returned in a new, cloud-centric fashion as slopsquatting.
As IT Brew previously reported, slopsquatting is when a programmer obtains software packages from an open-source repository, not realizing that a bad actor has labeled the packages to deceive them. The packages contain a command that acts as malware.
More storms are brewing. Along with efforts to attack cloud security using AI, threat actors are turning to ORB networks, a common tool of China-nexus threat actors to mesh networks together so that espionage operations are disguised.
Additionally, Meyers said that Crowdstrike has seen adversaries harvesting credentials and pivoting to the cloud control plane, which manages and controls a company’s cloud environment.
“They gain access to a legitimate credential and then that account perhaps has some cloud access, or they’re able to then escalate privilege to an account that has cloud access, which allows them to run commands on cloud,” Meyers said.
What to do. While fending off cloud intrusions can be tough, SentinelOne recommends that practitioners implement best practices, including strong authentication, employee awareness, and regular security assessments.
Sipes said, concerning prevention, “Cloud security needs to be proactive and reactive. What I mean by that is that core kind of [cloud security posture management] use case of reducing your attack surface.”
Providers should, according to Sipes, inventory cloud environments, check for cloud-native misconfigurations, ensure compliance, and proactively defend against intrusions.
On the reactive side, providers should implement a cloud workload protection platform that offers runtime security. “Bad guys will come knocking,” Sipes said. “When they do, do your cloud workloads themselves have the ability to autonomously detect, respond, and remediate threats?”