top of page
Search

Cloud Chaos: Red Canary Sounds the Alarm on Surging Identity and Cloud Threats

A new era of cloud-borne risk is here — and it’s not waiting for your endpoint agent to catch up.


Red Canary, now operating under the Zscaler banner, dropped its midyear Threat Detection Report today, and the findings are eye-popping: detections tied to cloud accounts have soared nearly 500% compared to all of 2024. It’s a sharp inflection point that underscores a sobering truth — the cloud and identity layers are the new front lines of cyber warfare, and most defenders are still bringing knives to a gunfight.


“Unlike endpoint, where most of the data and context required for threat detection and response stems from a single source, identity and cloud threat detection requires visibility and correlation across disparate systems,” said Keith McCammon, co-founder of Red Canary. “Security teams are evolving their endpoint-focused strategies to approaches that recognize more nuanced risks across dispersed environments.”

Cloud’s Hidden Attack Surface Gets Exposed


The spike in detections isn’t just due to more threats — it’s also the result of Red Canary’s ramped-up capabilities in surfacing identity-based anomalies. AI agents now monitor for suspicious logins, behavioral oddities, and VPN abuse, flagging activity that would otherwise slip through traditional telemetry nets.


But detection is only part of the equation. For the first time, two cloud-native attack techniques — "Data from Cloud Storage" and "Disable or Modify Cloud Firewall" — crashed Red Canary’s top ten most detected tactics. These aren’t exotic APT tools — they’re low-and-slow operations, often enabled by misconfigurations, credential abuse, or even well-intentioned insider changes.


Misconfigured AWS S3 buckets and improperly exposed ingress ports are now more than just sloppy engineering — they’re exploitable assets in a growing playbook of pre-breach behaviors.


Phishing Gets Smarter — and Harder to Spot


Phishing, the zombie of cyber threats, still refuses to die — but it’s evolving. Red Canary’s analysis of tens of thousands of reported phishing emails revealed that only 16% were actually malicious. That statistic may sound reassuring until you realize the other 84% are still wasting analyst cycles and dulling user vigilance through alert fatigue.


Attackers are now bypassing filters with surprisingly creative tactics — from leveraging Google Translate to obfuscate links, to sending innocuous-looking CAPTCHAs that redirect to malicious payloads. That’s exactly what the Scarlet Goldfinch group is now doing. Long known for fake browser update lures, the crew has swapped in fake CAPTCHA prompts that coax users into executing remote monitoring and management (RMM) tools under the radar.


When RMM Becomes the Enemy Within


The report notes a growing concern around legitimate tools being turned into threat vectors. VPNs and RMM software, in particular, are becoming the attacker’s dream — trusted by default, rarely scrutinized, and deeply embedded in enterprise infrastructure.


Red Canary warns that it’s not just about preventing access anymore — it’s about behavioral analytics, context-aware policies, and human-in-the-loop investigations that can differentiate admin activity from adversarial mimicry.


How to Fight Back: Red Canary’s Defensive Playbook


In the face of an increasingly asymmetric threat landscape, Red Canary recommends a four-pillar defense strategy:


  • Identity Hardening: Enforce multi-factor authentication and conditional access policies. If your identity stack is porous, the rest of your defenses are irrelevant.


  • Cloud Hygiene: Continuously audit cloud configurations. S3 buckets and firewall rules shouldn’t be set-and-forget.


  • User Education: Train users not just to spot phishing, but to report suspicious behavior, creating a closed-loop detection and response model.


  • RMM and VPN Watchdogs: Don’t trust — verify. Monitor these tools with the same scrutiny you’d apply to known malware.


Beyond the Perimeter, Into the Platform


The report’s most striking insight may be its meta-message: perimeter-based security models — even modern ones wrapped in shiny zero-trust labels — are inadequate without real visibility into identity and cloud behavior. And that visibility must extend beyond logs and alerts into human-led analysis.


Red Canary’s methodology stands out precisely because it blends high-fidelity telemetry with human validation. “Detection without confirmation is just noise,” as one Red Canary analyst put it. And in today’s cloud-first, identity-fractured world, there’s a lot of noise.


Bottom Line: The adversaries are evolving. The infrastructure is shifting. The question is — are your detection strategies evolving fast enough to keep up?

bottom of page