{"id":4221,"date":"2025-08-04T07:00:00","date_gmt":"2025-08-04T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4221"},"modified":"2025-08-04T07:00:00","modified_gmt":"2025-08-04T07:00:00","slug":"crowdstrike-a-new-era-of-cyberthreats-from-sophisticated-threat-actors-is-here","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4221","title":{"rendered":"CrowdStrike: A new era of cyberthreats from sophisticated threat actors is here"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

CISOs and their teams are entering a \u201cnew era\u201d of cyberthreats characterized by sophisticated threat actors who operate with \u201cbusiness-like efficiency,\u201d researchers from CrowdStrike conclude in the cybersecurity giant\u2019s 2025 Threat Hunting Report<\/a>.<\/p>\n

\u201cThese adversaries operate with strategic precision to maximize impact and quickly achieve their goals,\u201d CrowdStrike said in the report. \u201cInnovation is a critical cornerstone to outmaneuver and disrupt the enterprising adversary.\u201d<\/p>\n

Chief among the emerging adversarial tactics is the rapid adoption of AI technologies. \u201cThe more advanced adversaries use generative AI to increase sophistication, to increase the speed at which they operate, and to increase their capability,\u201d Adam Meyers, CrowdStrike\u2019s senior VP, said during a press briefing.<\/p>\n

\u201cWe can see that they\u2019re using gen AI to create more sophisticated phishing,\u201d Meyers said. \u201cThey\u2019re using it for business email compromise scams. They\u2019re using natural language and things like that to make more compelling phishing content. They\u2019re also using generative AI to create identities.\u201d<\/p>\n

The challenge of stopping these more effective adversaries is that they rely heavily on exploiting hard-to-control human factors through social engineering, now often aided by AI<\/a>, and they target unmanaged devices outside IT\u2019s purview to hide themselves from detection.<\/p>\n

In its report, CrowdStrike offers case studies of select groups to illustrate the advanced nature of the threats defenders face, clustering these groups according to their basic fields or sphere of operations, such as cross-domain, identity, cloud, endpoint, and vulnerability.<\/p>\n

Cross-domain: Blockade Spider and Operator Panda<\/h2>\n

Cross-domain adversaries engage in dispersed actions across various domains, including identity systems, endpoints, and the cloud, to better avoid detection or make it harder to identify their actions as being part of a coordinated effort. \u00a0<\/p>\n

\u201cThis is becoming the norm,\u201d Meyers said. \u201cIt is no longer novel or an exception. When I talk about cross-domain attacks, I am talking about something that spans multiple domains within the security environment.\u201d For example, \u201cOnce they have compromised the identity rather than going after the endpoints, they use those identities to pivot into the cloud,\u201d he said. \u201cThey then use that to pivot to unmanaged devices.\u201d<\/p>\n

CrowdStrike offers case studies of two threat actors, an \u201ceCrime\u201d adversary dubbed Blockade Spider and a Chinese state threat group, Operator Panda, both of which rely on cross-domain attacks.<\/p>\n

In early 2025, CrowdStrike observed Blockade Spider access a network via an unmanaged VPN, where it performed several actions, including attempting to dump credentials from a Veeam Backup and Replication configuration database and delete backup files. The group also tried to interfere with CrowdStrike\u2019s Falcon censor repeatedly.<\/p>\n

Despite Blockade Spider deeply embedding itself in the target\u2019s network, CrowdStrike was able to completely watch its interactions, with the customer ultimately able to shut down the threat actor\u2019s access.<\/p>\n

Regarding Operator Panda, better known as Salt Typhoon<\/a>, CrowdStrike discovered that in mid-2024, the group targeted a US-based telecommunications entity and a US-based consulting and professional services firm by exploiting Cisco switches running Cisco IOS and Cisco IOS XE. To better hide their activities, Operator Panda sanitized logs from the compromised Cisco switches.<\/p>\n

They also chained vulnerabilities, leveraging one flaw to create a local user account, which they then exploited to abuse another vulnerability in a different component of the Cisco web UI feature, enabling them to run arbitrary commands on the device.<\/p>\n

Identity threats: Scattered Spider<\/h2>\n

Identity-oriented adversaries exploit human weaknesses to leverage compromised credentials obtained through social engineering and AI-based tools to gain access to networks.<\/p>\n

Voice-based phishing is one identity-based attack tool rising in prominence, having increased in use by 443% last year, according to Myers. \u201cThis is on track to double by the end of 2025,\u201d he said. \u201cSo, voice-based phishing continues to be a huge opportunity for threat actors to take advantage of some of the security or bypass some of the security controls, oftentimes calling the help desk and saying, \u2018Hey, this is a legitimate user in the environment, I can\u2019t access my account, and I need a password reset.\u2019\u201d<\/p>\n

\u201cScattered Spider has really kind of been leading the way in [the evolution of] social engineering attacks,\u201d Meyers said.<\/p>\n

Following a dormant period, the group came roaring back in April 2025, engaging in impersonation campaigns<\/a> to gain access to a host of organizations. In its report, CrowdStrike said that in one 2025 ransomware incident, Scattered Spider progressed from initial access to encryption within 24 hours, far faster than its average time of 35.5 hours in 2024 and 80 hours in 2023. This has been a trend seen across the industry, with ransomware gangs extorting victims less than a day after initial intrusion<\/a>.<\/p>\n

Cloud threats: Genesis Panda and Murky Panda<\/h2>\n

Over the past 12 months, CrowdStrike has observed a 40% increase in cloud intrusions associated with China-nexus groups. \u201cThe cloud is an ideal target,\u201d Meyers said. \u201cIt is huge. It has vast amounts of data. Oftentimes, Chinese nexus adversaries can employ some innovative tactics, such as using ORB [Operational Relay Box] networks to avoid detection and to make it more difficult to see what they\u2019re up to.\u201d<\/p>\n

In its report, CrowdStrike highlighted the case of Genesis Panda. Since at least March 2024, the group has been able to use cloud services to support tool deployment, command and control (C2) communications, and exfiltration, targeting cloud service provider (CSP) accounts to expand access and establish alternate forms of persistence. In October 2024, CrowdStrike identified hands-on keyboard activity from a Genesis Panda implant running on a cloud compute instance, likely using compromised credentials from cloud VMs to target the organization\u2019s cloud account.<\/p>\n

In early March 2025, CrowdStrike identified an intrusion in which Genesis Panda obtained credentials to the target organization\u2019s cloud provider account by querying the instance metadata service (IMDS) after exploiting a public-facing Jenkins server. The group then added SSH keys and created a backdoor access key on the cloud service account, later reusing it to regain access.<\/p>\n

Another China group, Murky Panda, targets cloud environments through trusted relationships between partner organizations and their cloud tenants, particularly in North America.<\/p>\n

In late 2024, CrowdStrike responded to an incident in which Murky Panda likely compromised a supplier of a North American entity, using the supplier\u2019s admin access to add a temporary backdoor account to the victim entity\u2019s Entra ID tenant. Murky Panda then backdoored several preexisting Entra ID service principles related to Active Directory management and emails.<\/p>\n

Endpoint threats: Glacial Panda<\/h2>\n

Endpoint threat actors operate on extended timelines, waiting with stealth and persistence to sustain access, harvest data, and prepare for future operations, with China nexus adversaries mastering this approach.<\/p>\n

\u201cThese adversaries demonstrate deep knowledge of the endpoints that are there, what threat hunters have to enable them to look at those, and what types of detections are being used,\u201d Meyers said. \u201cSo, the adversaries have learned how the defenders are operating and how the threat hunters are looking, and they look to avoid detection.\u201d<\/p>\n

One such adversary, a China nexus group called Glacial Panda, which CrowdStrike said operates across the telecommunications industry, likely conducts targeted intrusions for intelligence collection purposes, primarily targeting telcos\u2019 Linux systems, including legacy systems that support older technologies.<\/p>\n

Glacial Panda deploys trojanized OpenSSH tools on compromised Linux hosts to log user authentication events and support lateral movement by tracking remote connections to other hosts in a technique CrowdStrike calls ShieldSlide.<\/p>\n

Vulnerability threats: Graceful Spider<\/h2>\n

Fifty-two percent of vulnerabilities CrowdStrike observed in 2024 were related to initial access, with exploitation of internet-exposed applications a prevalent method, underscoring the importance of vulnerability management in managing zero-day exploitation.<\/p>\n

\u201ceCrime actors are quickly able to take the learnings from when a nation state finds one of those zero days and it gets documented in a blog post,\u201d Meyers said. \u201cThen the eCrime actors can take that information and quickly weaponize it to do more widespread exploitation.\u201d<\/p>\n

In its report, CrowdStrike points to an incident involving the group Graceful Spider and how it impacted Cleo data transfer products in late 2024.<\/p>\n

On Dec. 7, 2024, CrowdStrike detected suspected exploitation of multiple Cleo products on Windows and Linux servers, with compromises across Cleo instances in various sectors and geographies. Based on the threat actor\u2019s targets, speed, scope, and tactics, CrowdStrike determined the activity was likely a zero-day file upload exploit leading to remote code execution related to an earlier vulnerability.<\/p>\n

Top takeaways for defenders<\/h2>\n

Based on the trends in CrowdStrike\u2019s report, Meyers offered defenders a few key takeaways.<\/p>\n

Implement identity threat detection.<\/strong> When it comes to identity threats, \u201crolling out identity threat detection response is one of the tools to protect those identities, making sure that you have adequate threat hunting to hunt across those identities,\u201d he said.<\/p>\n

MFA is a must.<\/strong> As has been standard security advice for years now, \u201cRolling out multifactor authentication using good multifactor authentication, meaning not SMS, is critical,\u201d Meyers added.<\/p>\n

Harden the cloud.<\/strong> Another takeaway is to \u201cdefend the cloud,\u201d Meyers said. \u201cThe cloud is increasingly being identified as a soft spot for organizations that haven\u2019t implemented proper cloud security.\u201d<\/p>\n

Shore up cross-domain visibility gaps.<\/strong> \u201cThat means instrumenting identity, that means instrumenting cloud, and that means having visibility into unmanaged devices through finding those unmanaged devices and deploying things like EDR to them,\u201d Meyers said. \u201cAnd if they don\u2019t support EDR, then instrument them into next-gen SIEM [security information and event management] solutions.\u201d<\/p>\n

Check your patch priorities.<\/strong> \u201cA lot of organizations are still patching based on the vulnerabilities\u2019 criticality,\u201d Meyers said. \u201cWe advocate \u2026 understanding what vulnerabilities are being exploited and patching those immediately. CISA puts out the known exploited vulnerabilities every week, which updates organizations on what they\u2019re seeing. So having the patch model be what is being exploited and patching that first is incredibly important.\u201d<\/p>\n

Know thy enemy.<\/strong> \u201cIt\u2019s important to know your adversary,\u201d Meyers said. \u201cUnderstand who these threat actors are, how they operate, what they\u2019re up to, and how they\u2019re changing to instrument your defenses.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

CISOs and their teams are entering a \u201cnew era\u201d of cyberthreats characterized by sophisticated threat actors who operate with \u201cbusiness-like efficiency,\u201d researchers from CrowdStrike conclude in the cybersecurity giant\u2019s 2025 Threat Hunting Report. \u201cThese adversaries operate with strategic precision to maximize impact and quickly achieve their goals,\u201d CrowdStrike said in the report. \u201cInnovation is a […]<\/p>\n","protected":false},"author":0,"featured_media":4222,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4221","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4221"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4221"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4221\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4222"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4221"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4221"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4221"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}