Menu
Cloud CISO Perspectives: New Threat Horizons details evolving risks — and defenses

GCP – Cloud CISO Perspectives: New Threat Horizons details evolving risks — and defenses

,

Welcome to the first Cloud CISO Perspectives for August 2025. Today, our Office of the CISO’s Bob Mechler and Anton Chuvakin dive into the key trends and evolving threats that we tracked in our just-published Cloud Threat Horizons report.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

aside_block
<ListValue: [StructValue([(‘title’, ‘Get vital board insights with Google Cloud’), (‘body’, <wagtail.rich_text.RichText object at 0x7fc8c04f1400>), (‘btn_text’, ‘Visit the hub’), (‘href’, ‘https://cloud.google.com/solutions/security/board-of-directors?utm_source=cloud_sfdc&utm_medium=email&utm_campaign=FY24-Q2-global-PROD941-physicalevent-er-CEG_Boardroom_Summit&utm_content=-&utm_term=-‘), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>

New Cloud Threat Horizons details evolving threats — and defenses

By Bob Mechler, director, Office of the CISO, and Anton Chuvakin, security advisor, Office of the CISO

Bob Mechler

Bob Mechler, director, Office of the CISO

Threat actors are leaning into cyberattacks against cloud service providers and honing their tactics to specifically target recovery mechanisms and supply chains — often to achieve high-value compromises.

That’s one of the top conclusions from our newest Threat Horizons Report, a free biannual publication sharing strategic intelligence on cloud threats that draws on research from Google Cloud’s Office of the CISO, Google Threat Intelligence Group (GTIG), Mandiant Consulting, and intelligence, security, and product teams.

Anton_Chuvakin_Headshot_18L8044_SQ1_Hi_Res

Anton Chuvakin, security advisor, Office of the CISO

These cyberattacks are starting from a frustratingly familiar place: Credential compromise and misconfiguration are still the leading entry points for threat actors in cloud environments.

“During the first half of 2025, weak or absent credentials were the predominant threat, accounting for 47.1% of incidents. Misconfigurations (29.4%) and API/UI compromises (11.8%) followed as the next most-frequently observed initial access vectors,” the report said.

These findings closely mirror our observations in previous Cloud Threat Horizons Reports, emphasizing the critical need for robust identity and access management and proactive vulnerability management.

As threat actors advance their methods for data exfiltration, identity compromise, supply chain attacks, and improving evasion and persistence techniques, Google Cloud security experts offer four critical insights into these evolving risks, supported by threat intelligence and risk mitigations.

The new report takes stock of the state of cloud security, and focuses on actionable recommendations for leaders and practitioners. As threat actors advance their methods for data exfiltration, identity compromise, supply chain attacks, and improving evasion and persistence techniques, Google Cloud security experts offer four critical insights into these evolving risks, supported by threat intelligence and risk mitigations.

1. Foundational vulnerabilities persist

A persistent challenge is the continued exploitation of basic security weaknesses in the cloud. Despite defensive advancements, the primary entry points for threat actors — credential compromise and misconfiguration — are driven by a lack of attention to cloud security fundamentals.

As we noted, these foundational issues accounted for a significant portion of incidents in the first half of 2025. Too many organizations struggle with these basics and we can not emphasize enough the importance of robust identity and access management and proactive vulnerability management — reach out to your cloud provider to ensure your metaphorical windows and doors are locked.

2. Attacking backups to pressure victims

Threat actors are increasingly targeting backup infrastructure to hinder recovery efforts. Financially-motivated attackers are now routinely compromising backup systems to ensure that organizations can’t restore data after a ransomware attack and coerce them into capitulating.

This shift emphasizes the critical importance of business continuity. Our report highlights the need for solutions, including Cloud Isolated Recovery Environment (CIRE), to provide a secure restore point. A robust disaster recovery plan, rooted in layered security, should go beyond relying solely on cloud backups.

3. MFA is effective, but not invulnerable

Multi-factor authentication (MFA) is a highly effective security measure. However, threat actors are developing more sophisticated methods to bypass it, particularly through social engineering to steal credentials and session cookies.

For example, the North Korean threat actor group UNC4899 used social media to trick employees into running malicious Docker containers and then steal the victim’s credentials and session cookies to gain access to cloud environments. In some instances, they used credential and cookie theft to bypass weaker MFA methods to avoid detection.

As Google Cloud and Workspace take steps to add additional layers of protection to the MFA process with passkeys and device-bound session credentials, cloud customers should also adopt a comprehensive defense-in-depth strategy. Robust session management and enhanced user awareness training can prove vital to mitigating MFA threats.

4. Evolving supply chain attacks

The supply chain continues to be a significant area of risk, and we’ve observed threat actors using trusted cloud services to host decoy files and payloads. The new Cloud Threat Horizons report details campaigns where seemingly-benign PDFs on legitimate cloud platforms were used to distract victims while malicious payloads were downloaded — a classic trust-exploitation attack.

It shouldn’t come as a surprise that adversaries are evolving their tactics to target personnel, recovery plans, and the inherent trust in platforms. CISOs and security leaders should encourage their organizations to evolve as well, from addressing individual vulnerabilities to building a resilient, end-to-end security program prepared for today’s threat landscape.

Level up your cloud security today

Effectively navigating today’s threats means that organizations should prioritize a defense-in-depth strategy that prioritizes identity security, robust recovery mechanisms, continuous vigilance against sophisticated social engineering and deception tactics, and supply chain integrity.

For more details on the threats facing cloud providers and users, and mitigations for those risks, you can download the new Cloud Threat Horizons report here.

aside_block
<ListValue: [StructValue([(‘title’, ‘Join the Google Cloud CISO Community’), (‘body’, <wagtail.rich_text.RichText object at 0x7fc8f9fcca00>), (‘btn_text’, ‘Learn more’), (‘href’, ‘https://rsvp.withgoogle.com/events/ciso-community-interest?utm_source=cgc-blog&utm_medium=blog&utm_campaign=2024-cloud-ciso-newsletter-events-ref&utm_content=-&utm_term=-‘), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month:

  • Your guide to Security Summit 2025: AI can help empower defenders, and also create new security challenges. Join us for this year’s Security Summit as we focus on those themes. Read more.
  • Complex, hybrid manufacturing needs strong security. Here’s how CISOs can get it done: Our Office of the CISO has developed actionable security guidance for hybrid manufacturing OT networks. Here’s what you need to know. Read more.
  • Forrester study: Customers cite 240% ROI with Google Security Operations: A new Forrester Consulting study on Google Security Operations found a 240% ROI over three years, with a net present value (NPV) of $4.3 million. Read more.
  • Google Cloud’s commitment to EU AI Act support: We intend to sign the European Union AI Act Code of Practice. Here’s what our European customers should know. Read more.
  • Introducing audit-only mode for Access Transparency: Introducing a new, lightweight audit-only mode for Access Approval to enable access approvals in an “on demand only” model. Read more.
  • Best practices to prevent dangling bucket takeovers: Storage buckets are where your data lives in the cloud, but sometimes they get forgotten. Here’s how to secure them against dangling bucket attacks. Read more.
  • New patch rewards program for OSV-SCALIBR: Participants in the program will be eligible to receive a financial reward for providing novel OSV-SCALIBR plugins for inventory, vulnerability, and secret detection. Read more.
  • Android’s pKVM first globally-certified software to earn SESIP Level 5: With this level of security assurance, Android is now positioned to securely support the next generation of high-criticality isolated workloads. This includes vital features, such as on-device AI workloads that can operate on ultra-personalized data, with the highest assurances of privacy and integrity. Read more.

Please visit the Google Cloud blog for more security stories published this month.

aside_block
<ListValue: [StructValue([(‘title’, ‘Learn something new’), (‘body’, <wagtail.rich_text.RichText object at 0x7fc8f9fcc7c0>), (‘btn_text’, ‘Watch now’), (‘href’, ‘https://www.youtube.com/watch?v=353plPq3P-s’), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>

Threat Intelligence news

  • Exposing the risks of VMware vSphere Active Directory integration: The common practice of directly integrating vSphere with Microsoft Active Directory can simplify administration tasks, but also creates an attack path frequently underestimated due to misunderstanding the inherent risks. Read more.
  • Defending your VMware vSphere estate from UNC3944: Take a deep dive into the anatomy of UNC3944’s vSphere-centered attacks, and study our fortified, multi-pillar defense strategy for risk mitigation. Read more.
  • Ongoing SonicWall SMA exploitation campaign using the OVERSTEP backdoor: Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. Read more.

Please visit the Google Cloud blog for more threat intelligence stories published this month.

Now hear this: Podcasts from Google Cloud

  • Google lessons for using AI agents to secure our enterprise: What can AI agents do for your organization’s security? Dominik Swierad, product development and strategy lead, AI and Sec-Gemini, joins hosts Anton Chuvakin and Tim Peacock for a lively chat on the state of using AI agents to improve security. Listen here.
  • Making security personal, the TikTok way: Kim Albarella, global head of security, TikTok, discusses security strategies, appropriate metrics, and balancing the need for localized compliance with the desire for a consistent global security posture with Anton and Tim. Listen here.
  • Defender’s Advantage: Securing protection relays in modern substations: Host Luke McNamara is joined by members of Mandiant Consulting’s Operational Technology team to discuss securing assets in the energy grid. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in a few weeks with more security-related updates from Google Cloud.

Read More for the details.

Related Posts