This analysis will self-destruct…

Chris Clements, VP of Solutions Consulting

Insights from the Crowdstrike 1H 2025 Threat Report

https://go.crowdstrike.com/rs/281-OBQ-266/images/Threat-Hunt-Report-2025.pdf

Here’s some very likely fragile temporal analysis of the data contained in Crowdstrike’s Threat Report: 

1. More “human” hacking 

• Interactive intrusions up 27% YoY, vishing attacks in the first half already surpassed all of 2024’s totals.  Technical controls are being bypassed in favor of blending in with normal IT administration and human vulnerability. 

• Cybercrime still dominates as the motivation 73% of total intrusions.  Rule 1 of crime continues to apply: follow the money. 

• 81% of intrusions used no malware.  You have the latest next-gen AI powered ungodly expensive EDR?  Cool.  Threat actors are compromising you using the super sophisticated “I just downloaded it bro.” technique (super effective). 

2. AI is democratizing cybercrime 

For as much catastrophe over AI’s potential for autonomous attacks, for right now the reality is more nuanced. Adversaries are not replacing their existing tactics, techniques, and procedures (TTPs) with AI; rather, they are using GenAI as a powerful force multiplier to enhance their current operations, making them faster, more scalable, and more deceptive. 

• AI tools themselves are becoming a new and attractive attack surface. The report warns that trusted AI tools will emerge as the next insider threat. This was demonstrated by the exploitation of CVE-2025-3248, a critical vulnerability in Langflow, a popular open-source tool for building AI applications. Threat actors exploited this vulnerability to achieve unauthenticated remote code execution, using it to establish persistence, dump credentials, and deploy malware, including the XMRig cryptominer and Cerber ransomware. 

• Vibe-malware: use of AI coding tools is lowering the barrier to create bespoke malware.  You don’t have to be a good programmer anymore to create destructive code. 

• AI-Powered Social Engineering: Using video, audio and text, many organizations are being breached through lax hiring processes. The North Korea-linked group FAMOUS CHOLLIMA is highlighted as being particularly proficient in this area, having infiltrated over 320 organizations in the past year using these methods (220% YoY increase). 

3. Migrated to the cloud?  So have cyberattacks. 

The corporate data center has withered and died, and the cloud has become the core of modern enterprise infrastructure. Adversaries have followed this migration, and the cloud is now a primary battlefield. 

• Cloud intrusions increased by 136% in the first half of 2025 compared to the entirety of 2024. This is the fastest-growing segment of the threat landscape. 

So what to do in light of this info? 

1. Realize that pure technical controls aren’t enough.  Attackers will use legit software to compromise you.  In addition to your normal endpoint protection, look for outlier software and behaviors. 

2. Operator, I need a hardline: Humans will continue to be targeted to give threat actors access.  Make sure you have robust identify verification controls in place to ensure that “hey helpdesk, can you reset my password?” doesn’t lead to the front page. 

Make sure your cloud isn’t the fog of war:  Yes, make sure you really do understand the configurations and controls your SaaS and PaaS providers offer, but also make sure your unified detection and response plans incorporate the new core of your business operations.