Most Google Cloud Attacks Start With Bug Exploitation

СLOUD SECURITY CYBERSECURITY OPERATIONS VULNERABILITIES & THREATS IDENTITY & ACCESS MANAGEMENT SECURITY NEWS Most Google Cloud Attacks Start With Bug Exploitation Forget stolen credentials and misconfigurations. Thanks to AI, the new top cause of compromises in the cloud is vulnerability exploits that beat patching cycles. Robert Lemos,Contributing Writer March 13, 2026 4 Min Read SOURCE: ATHAPET PIRUKSA Exploitation of user-managed cloud software has overtaken credential abuse as the method by which most attackers gain initial access to cloud resources. In its semi-annual "Cloud Threat Horizons Report," Google found attacks on user-managed software applications — such as the the React2Shell attack targeting a flaw in React Server Components — bested software vulnerabilities to become the most frequently exploited vector for initial access. Overall, "software-based entry," which includes exploiting software vulnerabilities such as remote code execution (RCE) flaws, accounted for about 44% of all initial-access activity in Google Cloud, the company stated in the report. The shift is likely due to the company's focus on secure-by-default strategies and cloud users taking measures to shrink the stolen credentials and misconfiguration attack surfaces, says Crystal Lister, a security adviser in the Office of the CISO at Google Cloud. Related:'InstallFix' Attacks Spread Fake Claude Code Sites "As defenders address some of the initial, enduring cloud hygiene issues, attackers are being forced to focus on more sophisticated, automated paths," she says. "It isn't necessarily that companies are cutting corners, but rather that the defensive perimeter has moved. Attackers are now targeting the third-party user-managed software running on top of the cloud rather than the cloud infrastructure itself." Outside of Google's cloud environments, however, attackers continued to focus on identity and credential weaknesses, with 83% of the initial-access vectors in platform-agnostic incidents investigated by Google Mandiant chalked up to identity. Nearly a third of such attacks came from phishing, a fifth due to compromised trust relationships with third parties, a fifth due to stolen credentials, and a tenth from malicious insiders and software supply-chain attacks, according to the Google report. The remaining 17% non-identity-related attacks included misconfiguration and software exploitation. Cybersecurity firm Palo Alto Networks found a similar focus, with two-thirds of initial access (65%) tied to identity in some way, according to the firm's "Global Incident Response Report 2026." Loading... "As organizations move deeper into SaaS, cloud and hybrid environments, the network perimeter matters less," the Palo Alto Networks' report stated. "Identity — the linkage between users, machines, services and data — has become the practical perimeter." Fix Identity and Attackers Focus Elsewhere In cases where defenders have done a good job at focusing on credential abuse and misconfiguration, it's not surprising that cyberattackers have changed their focus, says Saumitra Das, vice president of engineering at Qualys. Related:VMware Aria Operations Bug Exploited, Cloud Resources at Risk Exploitation has become easier because of AI-driven vulnerability analysis, penetration testing, and exploit development, he says. "Attackers adapted and increasingly shifted toward exploiting unpatched software," Das says. "That transition has been accelerated by AI-assisted exploitation tools and the near-instant weaponization of newly disclosed CVEs."   More than 44% of attacker activity on Google Cloud targeted software vulnerabilities and remote code execution. Source: Google Cloud The shared responsibility model for cloud security means that both partners — the cloud provider and the customer — must keep up their side of the cybersecurity bargain. Unfortunately, all cloud architectures have identity weak points that, if not managed correctly, could be exploited, says Keith Lunden, a manager with the Google Threat Intelligence Group. "We anticipate that threat actors will continue to find and exploit these gaps while evolving their methods through the use of AI," he says. These gaps in security means that most vulnerability exploitation in the cloud tends to focus on infrastructure-as-a-service (IaaS) rather than platform-as-a-service (PaaS), because the greater responsibility for securing infrastructure falls to the customer, not the hyperscaler service, says Das. Related:AI Agent Overload: How to Solve the Workload Identity Crisis "Edge devices are naturally the first to be exploited, as well as publicly exposed assets such as virtual machines, containers, and serverless," he says. AI Means Time Grows Short for Patching Bugs Attackers' adoption of AI services is a major reason for shifts in the threat landscape. LLMs allow less technically adept attackers to vibe code well-crafted reconnaissance and exploitation frameworks, resulting in more attackers who can perform somewhat sophisticated attacks, says Das. "In the past, defenders often had more time to respond to a vulnerability," he says. "Today, the response window has shrunk to hours — yet most patch management processes were never designed to operate at that speed." For that reason, companies need to take a more aggressive approach to patching. Companies should virtually patch vulnerabilities within 24 hours of a public report, and fully remediate the issue within 72 hours, says Lister. "Defenders should replace manual processes with identity-centric proxies and automated posture enforcement," she says, adding that Google Cloud's Organization Policy services could be used to programmatically block overly permissive firewall rules from ever being created, for example. "In a world where exploitation is measured in hours," she says, "our defenses must be as automated as the attacks." About the Author Robert Lemos Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like СLOUD SECURITY Phishing Empire Runs Undetected on Google, Cloudflare by Elizabeth Montalbano, Contributing Writer SEP 04, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 СLOUD SECURITY Can Cybersecurity Weather the Current Economic Chaos? by Robert Lemos, Contributing Writer APR 21, 2025 СLOUD SECURITY Google to Acquire Wiz for $32B in Multicloud Play by Alexander Culafi, Senior News Writer, Dark Reading MAR 18, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE