Cloud Security: Hackers Now Target Software Flaws Over Passwords | TechRadar
The cloud threat landscape is undergoing a significant shift, with attackers increasingly prioritizing exploits of software vulnerabilities over traditional methods like compromised credentials. Fresh research from Google reveals a marked change in tactics, as cybercriminals target weaknesses in externally managed software and third-party integrations to gain access to cloud environments. This evolution poses a growing challenge for cloud security professionals, demanding a more proactive and nuanced approach to threat mitigation.
Early in 2025, weak or missing credentials remained the primary entry point for cloud compromises. However, the latter half of the year witnessed a surge in attacks leveraging software vulnerabilities. Google’s Cloud Threat Horizons Report now indicates that these vulnerabilities account for 44.5% of initial access vectors – surpassing credentials, which represent 27.2% of breaches. Misconfigurations contribute to 21% of initial access, while exposed interfaces account for a smaller 4.9%.
The Shrinking Patch Window
The speed at which attackers are exploiting these vulnerabilities is as well accelerating. The window between the public disclosure of a vulnerability and its exploitation has shrunk dramatically, moving from weeks to just days. In some instances, attackers have deployed cryptominers within 48 hours of a vulnerability becoming known. This rapid exploitation underscores the critical importance of timely patching and proactive vulnerability management. Organizations need to move beyond traditional, calendar-based patching schedules and adopt a more dynamic, risk-based approach.
This trend is particularly concerning given the increasing complexity of modern cloud environments. Organizations often rely on a multitude of third-party applications and services, each representing a potential attack surface. The Google report highlights the growing abuse of third-party SaaS integrations for data theft and unauthorized access. A full 21% of cloud intrusions in 2025 involved compromised trusted third-party relationships.
One specific example cited in the report involves UNC6395, a threat actor that leveraged compromised OAuth tokens associated with the Salesloft Drift application to gain extensive access and exfiltrate sensitive data from Salesforce tenants. Similarly, attackers have been observed stealing and abusing Salesforce Gainsight tokens to gain unauthorized access to victim environments. This demonstrates how attackers are targeting the connections *around* the cloud platform itself, rather than attempting to directly breach the core infrastructure.
Supply Chain Risks and OAuth Abuse
The exploitation of third-party integrations highlights the inherent risks associated with cloud supply chains. Organizations are increasingly reliant on external vendors for critical services, but these vendors can also introduce new vulnerabilities. OAuth, a widely used authorization framework, is proving to be a particularly attractive target for attackers. Compromised OAuth tokens can grant attackers broad access to sensitive data and systems without requiring them to directly compromise user credentials. The Open Web Application Security Project (OWASP) provides detailed guidance on securing OAuth implementations and mitigating the risks associated with token compromise.
This shift in attack vectors has significant implications for cloud security strategies. While strong identity and access management (IAM) practices remain essential, organizations must now place greater emphasis on securing their software supply chains and monitoring third-party integrations. This includes implementing robust vulnerability management programs, conducting regular security assessments of third-party vendors, and adopting zero-trust security principles.
Beyond Credentials: A Broader Security Posture
The move away from credential-based attacks doesn’t mean that strong passwords and multi-factor authentication are no longer important. Rather, it signifies that attackers are adapting their tactics to overcome these defenses. They are actively seeking out and exploiting weaknesses in the broader cloud ecosystem, including software vulnerabilities, misconfigurations, and third-party integrations. TechRadar Pro notes that this represents a fundamental change in the cloud security landscape.
Securing the software supply chain is now paramount. This involves ensuring that developers are following secure coding practices, regularly scanning code for vulnerabilities, and implementing robust build and deployment pipelines. Organizations should also consider using software bill of materials (SBOMs) to gain visibility into the components used in their software and identify potential vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA) has been actively promoting the adoption of SBOMs as a key component of software supply chain security.
What Comes Next: Enhanced Resilience and Recovery
Google’s report also emphasizes the importance of building cyber resilience and developing robust recovery plans. A Cloud Isolated Recovery Environment (CIRE) can help organizations quickly recover from attacks by providing a secure, isolated environment for restoring critical systems and data. Leveraging Google Cloud security tools can enhance defenses against evolving threats. The focus is shifting from simply preventing breaches to minimizing their impact and ensuring business continuity.
The evolving cloud threat landscape demands a continuous cycle of assessment, mitigation, and adaptation. Organizations must stay informed about the latest threats and vulnerabilities, proactively implement security measures, and regularly test their defenses. The Google Cloud Threat Horizons Report serves as a valuable resource for cloud security professionals seeking to navigate this increasingly complex environment. Ongoing monitoring and threat intelligence are no longer optional. they are essential for maintaining a secure cloud posture.