it

Google: Cloud attacks exploit flaws more than weak credentials

Published: (March 9, 2026 at 05:45 PM EDT)
6 min read
Source: Bleeping Computer

Source: Bleeping Computer

Cloud Threat Landscape – 2025 – 2026

Hackers are increasingly exploiting newly disclosed vulnerabilities in third‑party software to gain initial access to cloud environments, with the window for attacks shrinking from weeks to just days.

At the same time, the use of weak credentials or misconfigurations has dropped significantly in the second half of 2025, Google notes in a report highlighting trends on threats to cloud users.

According to the report, incident responders determined that bug exploits were the primary access vector in 44.5 % of the investigated intrusions, while credentials were responsible for 27 % of the breaches.

Initial access method


Source: Google

The most frequent vulnerability type exploited in attacks is remote code execution (RCE). The highlights are:

Google believes this shift in focus is likely due to increased security measures for accounts and credentials.

“We assess that this change in behavior from threat actors is potentially due to Google’s secure‑by‑default strategy and enhanced credential protections successfully closing traditional, more easily exploitable paths, raising the barrier to entry for threat actors.” – Google

The exploitation window has collapsed from weeks to a few days; Google observed cryptominers deployed within 48 hours of vulnerability disclosure, indicating that hackers are highly ready to weaponize new flaws and incorporate them into their attack flows.

Both state‑sponsored actors and financially‑motivated hackers mostly leveraged compromised identities—via phishing and vishing impersonating IT help‑desk staff—to obtain access to a target organization’s cloud platform.

In most of the investigated attacks, the actor’s objective was silent exfiltration of high volumes of data without immediate extortion and with long‑term persistence.

Apparent cloud attack objectives


Source: Google

Google highlights espionage campaigns from actors linked to Iran and China, who maintained access to victim environments for well over a year and a half.

  • Iran‑linked UNC1549 – For more than two years the group accessed a target environment using stolen VPN credentials and the MiniBike malware, stealing ≈ 1 TB of proprietary data. (Analysis)
  • China‑sponsored UNC5221 – Used the BrickStorm malware to retain access to VMware vCenter servers for at least 18 months, exfiltrating source code.

North Korean hackers stealing millions

Google attributes 3 % of the intrusions analyzed in H2 2025 to North Korean IT workers (UNC5267) who used fraudulent identities to obtain jobs and generate revenue for the government.

Another North Korean actor, UNC4899, specifically targeted cloud environments to steal digital assets. In one case the group:

  1. Tricked a developer into downloading a malicious archive under the guise of an open‑source project collaboration.
  2. The developer used the Airdrop service to transfer the file from a personal computer to a corporate workstation and opened it in an AI‑assisted IDE.
  3. Inside the archive was malicious Python code that deployed a binary masquerading as a Kubernetes CLI tool.

“The binary beaconed out to UNC4899‑controlled domains and served as the backdoor that gave the threat actors access to the victim’s workstation, effectively granting them a foothold into the corporate network.” – Google

Subsequent stages:

  • Pivot to the cloud – reconnaissance of specific pods in the Kubernetes cluster, establishment of persistence, and acquisition of a token for a high‑privileged CI/CD service account.
  • Lateral movement – accessed a pod responsible for enforcing network policies, broke out of the container, and planted a backdoor.
  • Data theft – compromised a system storing customer information (identities, account security, cryptocurrency‑wallet data) and insecure database credentials, enabling the theft of several million dollars in cryptocurrency.

OpenID Connect (OIDC) abuse

In an attack leveraging a compromised npm package named QuietVault, the attacker:

  1. Stole a developer’s GitHub token and used it to create a new admin account in the cloud environment by abusing the GitHub‑to‑AWS OIDC trust.
  2. Within three days, QuietVault obtained the developer’s GitHub and npm API keys via AI‑generated prompts and local AI CLI tools.
  3. Abused the CI/CD pipeline to harvest the organization’s AWS API keys, stole data from S3, and then destroyed it in production and cloud environments.

The incident was part of the “s1ngularity” supply‑chain attack.

All data and quotations are taken from Google’s Cloud Threat Horizons report (H2 2025) and publicly available sources.

S1ngularity Attack – Compromised npm Packages (August 2025)

In August 2025, an attacker published compromised npm packages for the Nx open‑source build system and monorepo management tool.

During the attack, sensitive information—including GitHub tokens, SSH keys, configuration files, and npm tokens—was exposed from 2,180 accounts and 7,200 repositories. The leaked data appeared in public GitHub repositories that contained the name “s1ngularity.”

Source: Security article on the attack

Malicious Insiders and Cloud Services

Although email and portable storage devices have traditionally been the primary vectors for data exfiltration, researchers observed a growing shift toward cloud platforms:

  • Amazon Web Services (AWS)
  • Google Cloud
  • Microsoft Azure
  • Google Drive
  • Apple iCloud
  • Dropbox
  • Microsoft OneDrive

The conclusion is based on an analysis of 1,002 insider data‑theft incidents (SSRN paper):

Status of InsiderNumber of Incidents
Still employed771
After termination255

Google warns that this trend is significant enough for organizations to implement robust data‑protection mechanisms against both internal and external threats. An employee, contractor, or consultant may violate trust and steal corporate data.

Key observations from Google’s research:

  • Cloud services are poised to replace email as the preferred exfiltration method.
  • Attackers increasingly delete backups, remove log files, and wipe forensic artifacts to hinder evidence recovery.
  • Cloud‑attack speeds now outpace manual response; payloads can be deployed within one hour of a new instance’s creation.
  • Consequently, automated incident‑response solutions are becoming urgent.

Outlook for 2025

Google predicts that threat activity will rise this year, driven by:

  • Ongoing geopolitical conflicts
  • The FIFA World Cup
  • U.S. midterm elections

These events act as magnets for malicious operations, underscoring the need for proactive cloud‑security strategies.

Red Report

Red Report 2026: Why Ransomware Encryption Dropped 38%

Malware is getting smarter. The Red Report 2026 reveals how new threats use mathematics to detect sandboxes and hide in plain sight.

What’s inside:

  • Analysis of 1.1 million malicious samples
  • The top 10 techniques attackers are using today
  • A checklist to see if your security stack is blind to these tactics

Download the full report →

0 views
#cloud security #vulnerabilities #remote code execution #third‑party software #weak credentials #misconfigurations #Google security report #cloud attacks
View source
Share:
Back to Blog

Related posts

Read more »