What Four Recent Security Reports Show About How Intrusions Actually Happen

Four recent security reports from Microsoft, Lumen, Sophos, and Palo Alto Networks Unit 42 cover different parts of the threat landscape.

One focuses on Medusa ransomware operations. Another looks at DNS hijacking through compromised routers. A third examines phishing campaigns that install legitimate remote access tools. The fourth explains how Kubernetes compromises turn into broader cloud incidents.

They are different incidents, but the security pattern is consistent.

Attackers are using exposed systems, weak administrative boundaries, trusted software, and overprivileged identities to move from initial access to business impact quickly.

The Four Reports in Brief

Microsoft described Storm-1175 as a threat actor involved in high-tempo Medusa ransomware operations. According to Microsoft, the group targets vulnerable web-facing systems, establishes persistence, steals credentials, moves laterally, exfiltrates data, and then deploys ransomware. In some cases, Microsoft observed ransomware deployment within 24 hours of initial access.

Lumen described FrostArmada, a Forest Blizzard campaign that hijacks DNS settings on compromised routers, especially MikroTik and TP-Link devices, to redirect selected authentication traffic into attacker-controlled infrastructure. The purpose is credential and token theft through attacker-in-the-middle collection.

Sophos documented STAC6405, a phishing campaign that used invitation-themed emails to trick users into installing legitimate remote monitoring and management tools, mainly LogMeIn Resolve, giving the attacker unattended remote access.

Unit 42 examined modern Kubernetes threats and found a strong increase in Kubernetes-related malicious activity, especially theft and abuse of service account tokens that let attackers move from a compromised workload into the wider cloud environment.

What These Cases Have in Common

The main lesson is not that every attacker uses the same malware or the same exploit.

The lesson is that many successful intrusions now follow the same sequence:

Gain access through an exposed or weakly protected entry point
Establish persistence using normal administrative mechanisms or trusted software
Steal credentials, tokens, or privileged access
Move toward systems that hold sensitive data or operational control
Cause impact through ransomware, espionage, or long-term access

That sequence appears in all four reports.

1. Exposed Systems Are Still the Starting Point

In the Microsoft case, the initial access point was often a vulnerable internet-facing asset. Microsoft says Storm-1175 has exploited more than 16 vulnerabilities since 2023 across products such as Exchange, Ivanti, ScreenConnect, TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, and BeyondTrust.

In the Lumen case, the exposed systems were not application servers but edge network devices. Compromised routers became the control point for DNS manipulation. That made it possible to silently redirect authentication traffic while leaving most normal user traffic untouched.

In the Unit 42 case, the exposed point was often a public-facing application running in Kubernetes. Once attackers got code execution inside a container, they could begin collecting tokens and testing permissions.

The common issue is straightforward: public exposure creates opportunity, and the time between disclosure and exploitation is shrinking.

2. Trusted Tools and Normal Features Are Being Used for Malicious Access

Sophos is the clearest example of this. The attacker did not need custom malware at the start. They convinced users to install legitimate remote access software that registered the device to an attacker-controlled account.

Microsoft saw a similar operational pattern after initial exploitation. Storm-1175 used remote management tools, PsExec, Cloudflare tunnels, and PDQ Deployer as part of its activity. These are not unusual tools in enterprise environments, which makes detection harder if control over approved use is weak.

This matters because security teams often focus on malware detection while giving less attention to the misuse of legitimate administration tools.

3. Identity Is the Real Objective

The Lumen report is directly about credential and token theft. By changing DNS responses for selected authentication services, the attackers inserted themselves between the user and the real destination. That gave them access to credentials and OAuth tokens, including after MFA in some cases if the victim clicked through certificate warnings.

The Unit 42 report makes the same point from a cloud perspective. Once code execution exists inside a Kubernetes pod, attackers often target the mounted service account token, then use Kubernetes API access and RBAC permissions to enumerate secrets, interact with other namespaces, and pivot into cloud resources. Unit 42 reported signs of potential service account token theft in 22% of cloud environments in 2025.

Microsoft also observed Storm-1175 dumping credentials from LSASS, enabling WDigest credential caching, accessing NTDS.dit and SAM, and collecting credentials from Veeam.

Different environments, same logic: once attackers obtain trusted identity, the rest of the environment becomes easier to navigate.

4. Speed Is a Defining Feature

Microsoft’s report is explicit about pace. In some intrusions, Storm-1175 moved from initial compromise to ransomware deployment in 24 hours, although many operations lasted five to six days.

Unit 42 also highlighted fast exploitation. In the case of React2Shell (CVE-2025-55182), disclosed on December 3, 2025, Unit 42 said it observed attacks using the issue by December 5 to 7, 2025.

The practical point is simple. Security teams cannot assume they have long investigation windows after a vulnerability is disclosed or an initial foothold is established.

5. The Final Impact Depends on the Actor’s Goal

These reports do not describe one threat category. They describe different end goals.

In Microsoft’s case, the goal was double extortion ransomware using data theft and encryption.

In Lumen’s case, the goal was credential and token collection for intelligence access.

In Sophos’ case, the campaign appears focused on establishing remote footholds, with Sophos noting that the actor may be refining tradecraft or operating as access-as-a-service.

In Unit 42’s cases, the goal was cloud access and downstream compromise, including access to sensitive infrastructure.

The initial access methods may differ, but the operational model is increasingly efficient and direct.

What Security Teams Should Take From This

These reports point to a few priorities that are more important than product-specific headlines.

Reduce exposure of internet-facing systems

External assets remain a common entry point. That includes application servers, remote management tools, network appliances, and cloud workloads. Asset inventory, patching discipline, and exposure reduction still matter because attackers keep proving they work. (and will mattert forever)

Treat remote administration tools as security-sensitive

Approved software can still be part of an intrusion. New RMM installations, unattended access registration, unexpected tunnel creation, and unusual deployment activity should be investigated quickly.

Focus on identity controls, not just malware controls

Credentials, OAuth tokens, service account tokens, and privileged accounts remain central to modern intrusion paths. Least privilege, MFA hardening, token hygiene, and careful control of service account permissions are not secondary tasks. They are core defenses.

Monitor the edge and the control plane

Routers, DNS settings, Kubernetes APIs, and cloud identities are all high-value control points. They are not peripheral systems. They determine how traffic is routed, what workloads can access, and how attackers move after initial compromise.

Plan for fast containment

The pace described in these reports means delayed response has real cost. Investigations need to assume that privilege escalation, credential theft, or lateral movement may already be underway.

These four reports are about ransomware, espionage, phishing, and cloud compromise.

But the operational lesson is the same in each case.

Modern intrusions are often built from ordinary weaknesses: exposed services, permissive identities, trusted tools, and administrative blind spots. Attackers do not need novelty if those conditions already exist.

That is what makes these reports useful. They are not just about four specific incidents. They show, with different technical details, how current intrusions actually happen.

References

That is what makes these reports useful. They are not just about four specific incidents. They show, with different technical details, how current intrusions actually happen.