Listen to this Post
Introduction
Cloud environments have become the backbone of modern digital infrastructure, powering everything from enterprise platforms to global development pipelines. But as organizations migrate workloads to the cloud, attackers are evolving just as quickly. A new security report from Google reveals a dramatic shift in how hackers break into cloud systems. Instead of relying heavily on stolen passwords or weak configurations, threat actors are increasingly exploiting newly disclosed software vulnerabilities.
What makes this trend particularly alarming is the speed. In the past, organizations often had weeks to patch newly discovered flaws before attackers weaponized them. Today, that window has shrunk to just a few days, and in some cases, even hours. The result is a far more aggressive threat landscape where organizations must react faster than ever before to prevent breaches, espionage, and large-scale data theft.
Vulnerability Exploits Become the Primary Entry Point
Recent incident response investigations show that vulnerability exploitation has overtaken traditional credential abuse as the most common entry point into cloud environments. According to the report, security teams determined that software bugs were responsible for approximately 44.5% of the investigated intrusions, making them the most frequent attack vector.
By comparison, compromised credentials accounted for 27% of breaches, showing a noticeable decline from previous years. This suggests that stronger account protections and multi-factor authentication measures are forcing attackers to change their tactics.
The vulnerabilities most commonly exploited were remote code execution (RCE) flaws, which allow attackers to run malicious code on targeted systems. Two vulnerabilities stood out in recent campaigns: the React2Shell flaw (CVE-2025-55182) and the XWiki vulnerability (CVE-2025-24893). These weaknesses were actively leveraged in botnet operations such as the RondoDox campaign, where attackers used compromised infrastructure to deploy malicious payloads at scale.
Security Improvements Are Changing Attacker Behavior
Google researchers believe the decline in credential-based attacks reflects improved security practices across cloud platforms. Stronger default configurations, identity protections, and built-in security controls have made it harder for attackers to exploit weak passwords or poorly configured accounts.
As a result, threat actors are shifting their focus toward software vulnerabilities, which often provide immediate system access without requiring authentication. Exploiting a vulnerability can give attackers the same level of access as legitimate users but without triggering traditional credential-based defenses.
This change highlights the success of “secure-by-default” strategies, but it also emphasizes the importance of rapid patch management and vulnerability monitoring.
The Exploitation Window Has Shrunk Dramatically
One of the most striking findings from the report is how quickly attackers now weaponize newly disclosed vulnerabilities. In previous years, organizations typically had weeks to deploy security patches before attacks became widespread.
Today, that timeline has collapsed.
Researchers observed cases where cryptomining malware was deployed within 48 hours of a vulnerability disclosure. This indicates that threat actors are closely monitoring security advisories and rapidly integrating newly discovered flaws into automated attack frameworks.
In some scenarios, malicious payloads were deployed within an hour of a new cloud instance being created, demonstrating just how fast modern attacks can unfold.
State-Sponsored Espionage Campaigns Continue to Grow
The report also highlights several long-term espionage campaigns conducted by nation-state actors. Groups linked to Iran and China have maintained persistent access to targeted organizations for extended periods, sometimes lasting more than 18 months.
One campaign attributed to the Iran-linked threat group UNC1549 maintained access to a victim environment for over two years. The attackers used stolen VPN credentials combined with the MiniBike malware to maintain stealthy persistence. During that time, they exfiltrated nearly one terabyte of proprietary data, including sensitive corporate information.
In another example, the China-associated group UNC5221 targeted VMware vCenter servers using a malware tool known as BrickStorm. The attackers maintained access for at least 18 months, using the compromised infrastructure to steal source code and conduct long-term surveillance.
These operations demonstrate the patience and persistence typical of state-sponsored cyber espionage.
North Korean Threat Actors Target Cryptocurrency
Cybercrime operations linked to North Korea continue to focus heavily on financial gain, particularly through cryptocurrency theft.
Researchers attributed 3% of the analyzed intrusions to fraudulent IT workers connected to North Korea. These individuals, tracked as UNC5267, used fake identities to secure remote employment and secretly funnel earnings to the government.
Another group, UNC4899, conducted targeted attacks against cloud environments with the goal of stealing digital assets. In one case, the attackers tricked a developer into downloading a malicious archive disguised as part of an open-source collaboration project.
Once opened, the archive executed malicious Python code that installed a binary disguised as a Kubernetes command-line tool. The program secretly connected to attacker-controlled servers, creating a backdoor that gave the attackers access to the developer’s workstation.
From there, the attackers moved laterally through the cloud infrastructure, explored Kubernetes clusters, and ultimately obtained a privileged CI/CD service account token. This allowed them to access sensitive systems containing customer data, cryptocurrency wallet information, and authentication details.
The breach ultimately resulted in the theft of millions of dollars in cryptocurrency.
Supply Chain Attacks Through Compromised Packages
Another major incident involved the compromise of an npm package called QuietVault, which attackers used as part of a supply chain attack.
After gaining access to a developer’s credentials, the attackers abused the trust relationship between GitHub and AWS using OpenID Connect (OIDC). This allowed them to create a new administrator account within the cloud environment.
Within just three days, the attackers:
Stole GitHub and npm API keys
Exploited CI/CD pipelines
Obtained AWS API credentials
Accessed data stored in Amazon S3
Destroyed production and cloud resources
This breach was part of the “s1ngularity” supply chain attack, which targeted the Nx open-source build system. The attackers published malicious packages that exposed sensitive credentials from thousands of repositories.
In total, 2,180 developer accounts and more than 7,200 repositories were affected after stolen credentials were leaked publicly on GitHub.
Insider Threats Shift Toward Cloud Services
The report also highlights a growing trend in insider-driven data theft. Researchers analyzed 1,002 insider incidents, discovering that the majority occurred while employees were still working at the organization.
Interestingly, insiders are increasingly using cloud platforms instead of traditional methods like email to exfiltrate sensitive data.
Services frequently abused for data theft include:
Amazon Web Services
Google Cloud
Microsoft Azure
Google Drive
Apple iCloud
Dropbox
Microsoft OneDrive
This shift suggests that cloud storage platforms are becoming the preferred channel for quietly moving large volumes of data outside corporate networks.
What Undercode Say:
The Cloud Security Battlefield Is Changing
The data clearly shows that cloud security is entering a new phase where speed and automation define both attackers and defenders. Traditional security thinking assumed that defenders would always have time to react to new vulnerabilities. That assumption is rapidly collapsing.
Attackers are now monitoring vulnerability disclosures in real time. Within hours of a CVE being published, automated tools can begin scanning the internet for unpatched systems. This means organizations that delay patching even briefly may already be compromised.
Identity Protection Is Working but Not Enough
The drop in credential-based breaches demonstrates that stronger identity protections such as multi-factor authentication, zero-trust architectures, and secure-by-default configurations are having a measurable impact. Attackers are finding it harder to steal passwords and immediately access systems.
However, this success is pushing attackers toward software vulnerabilities, which are often harder for organizations to control. A single unpatched component in a large cloud environment can provide attackers with a powerful entry point.
Supply Chain Risks Continue to Expand
The QuietVault and s1ngularity incidents highlight a critical weakness in modern development ecosystems: software supply chains. Developers rely heavily on open-source libraries and automated pipelines, creating a complex web of dependencies.
If attackers compromise just one widely used package, they can potentially infiltrate thousands of organizations simultaneously.
This kind of attack scales extremely well for cybercriminals and is likely to become even more common.
Developer Workstations Are a Major Target
Another important lesson from the report is that developers themselves are becoming high-value targets. Once attackers compromise a developer’s workstation, they gain access to repositories, CI/CD pipelines, cloud credentials, and deployment infrastructure.
In many cases, developer environments are less tightly monitored than production systems, making them attractive entry points.
Cloud Persistence Is Hard to Detect
The long-term espionage campaigns described in the report show how difficult it can be to detect stealthy intruders inside cloud environments. Nation-state actors are capable of maintaining access for years while quietly collecting data.
They often hide inside legitimate cloud services, making their activity blend in with normal operations.
Insider Threats Are Quietly Growing
While external attacks often make headlines, insider threats remain one of the most dangerous risks for organizations. Employees already have authorized access to sensitive systems, and if they decide to steal data, they can do so quickly and quietly.
The growing use of cloud storage services for data exfiltration makes detection even more difficult.
Automated Defense Is Becoming Essential
Perhaps the most important takeaway is that manual incident response is no longer fast enough. If attackers can deploy malware within an hour of creating a cloud instance, organizations cannot rely solely on human analysts to detect and stop threats.
Automated detection, AI-driven monitoring, and rapid response systems will become essential components of cloud security strategies moving forward.
Fact Checker Results
✅ The report correctly identifies vulnerability exploitation as the leading cloud intrusion vector in recent incident response investigations.
✅ Nation-state groups from Iran, China, and North Korea are widely documented as conducting long-term cyber espionage and cryptocurrency theft operations.
❌ The exact scale of some financial losses and long-term access durations may vary across investigations and remain partially undisclosed.
Prediction
🔐 Cloud security will increasingly rely on automated patching and AI-driven monitoring to counter ultra-fast attack cycles.
⚠️ Supply chain compromises targeting developer tools and open-source ecosystems will become one of the most common attack strategies.
🚨 Nation-state actors will continue blending espionage operations with financially motivated cybercrime, especially targeting cryptocurrency platforms.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
