css-logo-white

Building a Strategy to Secure Your Cloud Storage

Mitigate risks and protect your business with Antivirus for AWS by Cloud Storage Security (CSS).

Casmer Labs Presents: Quarterly Threat Report (Q3 25')

 

In Q3 2025, Casmer Labs tracked high impact incidents that targeted data in cloud storage, driven by misconfiguration, credential abuse, and rapidly evolving malware. This report explains what happened across S3, EBS, EFS, and FSx, highlights the signals that matter, and details practical steps to strengthen monitoring, validate access and configuration, and contain threats before data loss occurs. Use it to prioritize controls that lower exposure and to prepare audit ready evidence in complex multi account environments.

 

 

 

Screenshot 2025-10-07 161333-1

This paper discusses: 

arrow
The quarter’s most important developments in cloud data risk, including where attackers concentrated efforts and which storage control gaps created real impact.
arrow

How to use AWS native telemetry such as CloudTrail, S3 Server Access Logs, VPC Flow Logs, and GuardDuty to trace file movement, correlate identities, and surface unauthorized access.

arrow

Incident response guidance aligned to NIST Special Publication 800 61 Revision 3, including containment, eradication, and recovery steps for malware, misconfiguration, and ransomware in storage.

arrow

How SIEM and SOAR integrations with AWS services improve detection, accelerate investigation, and strengthen post incident visibility across complex multi account environments.
shield icon

Summarized Excerpt

In Q3 2025, attacker activity concentrated on data stored in the cloud. The quarter featured high impact events that reached mainstream attention, including the Jaguar Land Rover outage linked to credential compromise and the Salesloft and Drift incident involving OAuth token abuse.

Misconfiguration remained a major driver of exposure, with public storage resources leading to significant data leaks such as AJT Compliance, Navy Federal Credit Union, FTX Japan, and Nupay.

 

The malware picture also shifted further toward data theft and extortion. Infostealers were the most prevalent family observed, and ransomware as a service groups such as Qilin continued to expand operations against North American targets. These trends reinforce the need for malware scanning in storage, persistent activity monitoring, and rapid correlation of identities and access across accounts and buckets.

 

The report provides clear guidance you can put to work now. Recommendations include strong backup strategy, password hygiene and MFA, S3 lifecycle event notifications, continuous analysis of logs for anomalous access, automated configuration monitoring with rapid remediation, and targeted security training. It also explains how to use AWS native telemetry such as CloudTrail, S3 server access logs, VPC Flow Logs, and GuardDuty to trace file movement, validate configuration, and improve post incident response.