Cloud Attacks Exploit System Flaws over Weak Credentials

Recent trends indicate that hackers are becoming increasingly adept at exploiting vulnerabilities in cloud environments. A report from Google highlights how the timeline for attacks has drastically reduced, now occurring within days rather than weeks.

Exploitation of Vulnerabilities and Weak Credentials

The Google report reveals that 44.5% of cybersecurity incidents involved exploiting software bugs, primarily through remote code execution (RCE) vulnerabilities. This shift in attack strategy corresponds with increased security measures that have reduced breaches associated with weak passwords and misconfigurations.

• Primary Access Vector: 44.5% via bug exploits.
• Credential Breaches: 27% of incidents involved compromised credentials.

The most frequently targeted vulnerabilities included React2Shell (CVE-2025-55182) and the XWiki flaw (CVE-2025-24893), often utilized in orchestrated botnet attacks.

Rapid Exploitation Timeline

Google emphasizes that the time from vulnerability disclosure to active attacks has shrunk significantly. Cybercriminals are deploying cryptominers as soon as 48 hours post-disclosure, indicating a marked readiness to exploit new flaws.

Attack Patterns and Objectives

Many state-sponsored and financially motivated actors now employ stolen identities obtained through social engineering tactics like phishing. The goal often involves covert data exfiltration rather than immediate extortion.

• Actors of Concern:
• Iran-linked group UNC1549 has exploited a target environment for over 18 months, resulting in significant data theft.
• Another group, UNC5221, maintained access to VMware systems for long durations, focusing on source code theft.

North Korean Threat Actors

A small percentage, around 3%, of the analyzed breaches involved North Korean actors such as UNC5267 and UNC4899. These groups employed fraudulent identities for access, leading to the theft of substantial digital assets, including millions in cryptocurrency.

Compromised Software Supply Chains

Significantly, an attack involving a compromised npm package named QuietVault demonstrated how attackers can create admin accounts in cloud environments. Within three days, they managed to steal sensitive information, affecting thousands of accounts and repositories.

Insider Threats and Cloud Services

Analysis of insider threats reveals a concerning trend. More incidents of data theft are now linked to the misuse of cloud services such as AWS, Google Cloud, and OneDrive. In many cases, insiders committed theft while still employed or shortly after their departure.

Mitigation Strategies

Google advises organizations to implement robust data protection mechanisms. The rising sophistication of attacks underscores the need for automated incident response systems, as manual processes are proving insufficient in the face of rapid cyber threats.

Looking Forward

Google anticipates an increase in cyber threats due to ongoing geopolitical tensions and upcoming major events, like the FIFA World Cup and U.S. elections. The landscape of cloud security is evolving quickly, necessitating proactive measures from organizations to safeguard their digital assets.