NewsNukem
vulnerabilities

Cloud attackers are shifting from stolen credentials to software exploits, Google Cloud says

March 22, 20262 min read2 sources
Share:
Cloud attackers are shifting from stolen credentials to software exploits, Google Cloud says

Attackers targeting cloud environments are now more likely to break in by exploiting software vulnerabilities than by relying on stolen credentials, according to a Google Cloud threat report summarized by Infosecurity Magazine. The report points to a marked rise in exploit-led intrusions, including abuse of a React-related issue Google Cloud refers to as “React2Shell.”

The finding suggests a change in initial access tactics rather than the disappearance of credential theft. Password spraying, phishing, token theft and exposed keys still matter, but Google Cloud says vulnerability exploitation is becoming the preferred route because it can bypass MFA, scale across many targets and deliver code execution quickly on internet-facing systems.

That matters for organizations running public-facing applications, APIs, container platforms and CI/CD services in the cloud. A single unpatched flaw in an exposed service can give attackers a foothold to steal data, deploy cryptominers, move laterally or abuse cloud-native tools for persistence. In practice, this puts more pressure on patching speed, external attack-surface monitoring and prioritizing bugs that are known to be exploited in the wild.

The report also fits a wider industry pattern. CISA’s Known Exploited Vulnerabilities catalog continues to show how quickly newly disclosed flaws are weaponized once proof-of-concept code or active exploitation emerges. For defenders, the implication is that identity controls alone are not enough if vulnerable apps and services remain reachable from the internet. Internet-facing systems, including remote access tools such as VPN gateways, remain attractive targets when patching lags.

Google Cloud’s findings stop short of naming a single victim or campaign in the Infosecurity summary, and the exact technical details behind “React2Shell” were not fully described there. Still, the message is clear: cloud intrusion tradecraft is becoming more exploit-driven, and exposed software flaws are now a faster path into cloud estates than many defenders may assume.

$ vpn --status: UNPROTECTED

Your connection is exposed.

Encrypt your traffic with hide.me VPN — trusted by security professionals.

Get Protected →

sponsored

Share:

// SOURCES

// RELATED

NIST scales back vulnerability data enrichment after 263% surge in submissions
vulnerabilities

NIST scales back vulnerability data enrichment after 263% surge in submissions

NIST is limiting detailed analysis in its National Vulnerability Database (NVD) due to a massive increase in submissions, impacting security teams.

2 min readApr 18
Three Microsoft Defender zero-days actively exploited; two still unpatched
vulnerabilities

Three Microsoft Defender zero-days actively exploited; two still unpatched

Security firm Huntress warns of active exploitation of three Microsoft Defender zero-days, codenamed BlueHammer, RedSun, and UnDefend. Two remain unpa

6 min readApr 18
London healthcare faces months of disruption after ransomware attack on key supplier
vulnerabilities

London healthcare faces months of disruption after ransomware attack on key supplier

A major ransomware attack on pathology provider Synnovis has caused severe, ongoing disruption to London hospitals, highlighting critical supply chain

6 min readApr 18
Most 'AI SOCs' are just faster triage, and that's not enough
vulnerabilities

Most 'AI SOCs' are just faster triage, and that's not enough

Many AI security tools only speed up alert analysis, failing to reduce analyst workload. Experts argue real gains require AI that automates response a

2 min readApr 17