The cyber threat landscape is constantly changing, influenced by global politics, technological advances, and more. In 2023, ChatGPT was first used to generate malicious code; in 2024, infostealers and high-profile attacks on federal and Fortune 500 organizations rose. In Q2 of 2025, new alarming trends made themselves known.

Casmer Labs monitors cloud-focused cyber threats, especially those that result in data breaches. Projections made in Q1 of 2025  included increased data breaches from misconfigurations and ransomware, escalating financial and reputational costs, and lower barriers for attackers due to RaaS and advanced tooling.

Q2 2025's main cloud data threats were:

• Lack of monitoring (internal and external threats)
• Misconfiguration-induced data breaches
• Evolving ransomware strains from RaaS vendors

Lack of Monitoring

Q2 2025 saw a number of serious data breaches occur due to poor activity monitoring. The Coinbase attack (May 15, 2025) involved overseas support employees exfiltrating sensitive data, causing a 7% stock drop and an SEC investigation. While employee education helps, effective activity monitoring is crucial to stop determined attackers. The Ingram Micro incident, a VPN compromise leading to 5 days of downtime and likely data loss, also occurred in Q2 2025. Automated monitoring could have prevented prevented or limited the scale of these incidents. Smaller incidents, like one at Columbia University, also occurred.

Casmer Labs recommends:

• Robust backup strategy
• Conditional IAM disabling of SSE-C encryption
• S3 lifecycle event notifications
• Basic digital security hygiene (frequent password changes, MFA)
• Signature-based and anomaly detection activity monitoring

Cloud Storage Security's DataDefender automates threat detection and mitigation, preventing data exfiltration and ransomware. Sign up for the beta here.

Misconfiguration Issues

In Q2 2025, Casmer Labs recorded over 15 major data breaches (1000+ records) derived from misconfigurations, with 11 linked to object storage services like Amazon S3, Azure Blob, and Google Cloud Storage.

WorkComposer exposed 21 million screenshots, including credentials, API keys, and internal emails, via a public Amazon S3 bucket on April 28, 2025. This information could fuel phishing and social engineering attacks.

As more organizations move to the cloud, data dispersion increases, leading to more misconfigurations due to human error. To mitigate this, Casmer Labs advises:

• Restrict Public Access & Secure Cloud Storage: Implement strict access controls, regularly review permissions.
• Monitor & Audit Access Logs: Continuously track logs for unauthorized activity, conduct retrospective analysis.
• Encrypt Data at Rest & In Transit: Enable server-side encryption, use KMS for key management.
• Automate Security Measures: Deploy automated checks for misconfigurations, use real-time alerts.
• Conduct Regular Security Audits: Perform frequent assessments and penetration testing.
• Train Employees on Cybersecurity Best Practices: Educate on data security, phishing, and access control.
• Implement Automated Tools for Configuration Management: Ensure tools can identify and remediate issues at scale.

DataDefender by Cloud Storage Security monitors over 90 configuration options across 10 cloud services, automatically or manually remediating issues like public S3 buckets or EBS snapshots. Sign up for the beta here.

Malware and Ransomware-as-a-Service

Casmer Labs' Q1 2025 predictions of rising malware (especially infostealers) and RaaS victims proved true in Q2. SafePay, linked to the Ingram Micro compromise, has victimized over 200 organizations since November 2024. While major ransomware groups (LockBit, Black Cat) have declined, new ones emerge, like Qilin, known for offering legal counsel to victims. Infostealers were the top malware family detected by Casmer Labs in Q2 2025, jumping from #3.

Bad actors are increasingly targeting the storage layer and the data within. Infostealers' rise in popularity highlights this shift. In addition to the previously mentioned best practices, Cloud Storage Security and Casmer Labs recommend:

• Regularly Scanning Data in Storage Regularly for Malware: Use in-tenant protection to detect malicious files before distribution.
• Automate Threat Detection: Implement cloud-native tools for real-time file scanning.
• Enforce Access Control and Encryption: Implement strict access policies and encrypt stored data.
• Implement Continuous Monitoring Practices: Regularly audit cloud storage configurations and access logs.

Conclusion and Forward Outlook

Casmer Labs has discovered and monitors a number of distinct threats to organizations that store and process their data in the cloud. Chief among these threats is that of the lack of activity monitoring, and misconfigurations, which have claimed hundreds of victims alone in Q2 of 2025. As organizations continue to navigate the fast-moving world of cyber threats, one thing remains clear; given the sheer scale of the IT infrastructure that most organizations maintain, only so much can be done to prevent breaches without the usage of competent, automated, focused tools.

About Cloud Storage Security

Cloud Storage Security (CSS) offers customers the ability to protect the storage layer in their cloud environments. DataDefender by Cloud Storage Security offers customers complete protection over the entirety of their cloud storage environment. Make sure your organization:

• Knows where its sensitive data resides
• Configures their storage resources in a secure manner
• Prevents the ingestion and distribution of malware, including ransomware
• Identifies and stops internal and external attacks against storage, and the data within

The DataDefender beta program is open for applications now. Sign up at cloudstoragesecurity.com/datadefender to request access to the solution.

Cloud Storage Security’s cloud antivirus solution is also available in AWS Marketplace with a 30-day free trial.