Cybercriminals are increasingly leveraging artificial intelligence to accelerate their attacks, collapsing the window between vulnerability disclosure and exploitation from weeks to just days. According to Google Cloud's latest Cloud Threat Horizons Report, based on observations from the second half of 2025, the speed and lethality of cloud attacks have reached unprecedented levels. The report underscores that while core cloud infrastructure from providers like Google Cloud, Amazon Web Services, and Microsoft Azure remains well-protected, threat actors are targeting the weakest link: third-party software and identity vulnerabilities.

The shift is dramatic. Instead of brute-forcing credentials directly, attackers now exploit unpatched vulnerabilities in popular libraries and frameworks, often within 48 hours of public disclosure. One notable example is the React2Shell vulnerability (CVE-2025-55182) in React Server Components, which allowed remote code execution and was exploited within two days of its announcement. Another incident involved a remote code execution flaw in XWiki Platform (CVE-2025-24893) that had been patched in June 2024, but widespread failure to apply the patch allowed crypto-mining gangs to exploit it in late 2025. The report also details supply chain attacks through compromised Node Package Manager packages, where a developer's GitHub token was stolen, giving access to Amazon Web Services resources, leading to data theft from an AWS S3 bucket—all within 72 hours.

State-sponsored groups are also active and increasingly sophisticated. A group known as UNC4899, likely originating from North Korea, used AI-assisted development tools to lure a developer into executing malicious code. The attacker compromised the developer's workstation through a fake open-source collaboration, eventually gaining access to Kubernetes workloads and stealing millions in cryptocurrency. This attack chain involved social engineering via Airdrop and a counterfeit Kubernetes command-line tool, demonstrating how AI tools can be weaponized to deceive even experienced developers.

Identity attacks are another growing concern. Google's report highlights that 17% of breaches involved vishing (voice social engineering), 12% used email phishing, 21% exploited trusted third-party relationships, and 21% leveraged stolen human or non-human identities. Non-human identities, such as API keys and service accounts, are often overlooked but can provide attackers with direct access to cloud resources if compromised. Additionally, malicious insiders—employees, contractors, interns—are increasingly exfiltrating data via consumer cloud storage services like Google Drive, Dropbox, OneDrive, and iCloud. The report identifies this as the fastest-growing method of data exfiltration, often going unnoticed because the traffic blends with normal business activities.

Alarmingly, attackers are not immediately demanding ransoms. In 45% of intrusions, data was stolen without immediate extortion, allowing prolonged dwell times and stealthy persistence. This means businesses may be compromised for weeks or months before discovering the breach. The report emphasizes that defenders must adopt a mindset of continuous monitoring and assume that breaches have already occurred, focusing on detection and containment rather than pure prevention.

The implications for businesses are clear: AI-powered attacks require AI-augmented defenses. Traditional security measures that rely on manual patching cycles and periodic compliance checks are no longer sufficient. Google's security team recommends automated, policy-driven security controls, including continuous vulnerability scanning, identity analytics, and machine learning-based anomaly detection. For organizations without dedicated security teams, the following four strategies are critical to reducing risk:

1. Automated Patching

Ensuring all software—especially third-party applications and libraries—is automatically updated is the first line of defense. Manual patching cycles are too slow in an environment where zero-day exploits are weaponized in hours. Automation reduces the window of exposure from weeks to minutes. Businesses should enable auto-updates where possible and use software composition analysis tools to track dependencies.

2. Strengthen Identity and Access Management

Multi-factor authentication should be mandatory for all users, including those using administrative tools. Just-in-time privilege escalation and strict governance of non-human identities are essential. Google recommends implementing zero-trust principles: never trust, always verify. Continuously monitor for anomalous access patterns, such as logins from unusual locations or times, and revoke unused credentials.

3. Network Monitoring for Unusual Activity

Both external attacks and insider threats require vigilant monitoring of network traffic and data movement. Detection of large uploads to personal cloud storage, unusual outbound traffic to unknown IPs, or unexpected API calls can catch data exfiltration early. Use security information and event management systems that integrate cloud logs, and deploy endpoint detection and response tools to identify malicious processes.

4. Incident Response Planning

Having a pre-prepared incident response plan is essential. The first hours after detection are crucial for containment; scrambling to assemble resources during an active breach can cost valuable time. Run tabletop exercises to test the plan. For small businesses without in-house expertise, partnering with a managed security service provider is highly recommended. The cost of preparing is far lower than the cost of a breach, which often includes data loss, regulatory fines, and reputational damage.

The threat landscape is evolving rapidly, with AI amplifying both attacker and defender capabilities. As cybercriminals continue to refine their techniques, relying on outdated security practices is no longer an option. Organizations that fail to adapt their security postures—by embracing automation, enforcing strong identity controls, and maintaining continuous vigilance—risk becoming the next victim of faster, deadlier cloud attacks. The time to act is now, before a disclosure window closes and the attack begins.

Source: ZDNET News