The H1 2025 Threat Horizons Report, published by Google Cloud, sheds light on evolving threats within the cloud security landscape, focusing on ransomware, data theft, and vulnerabilities affecting cloud infrastructures globally. As cybercriminals become more adept at bypassing security measures, organizations must prioritize robust, proactive strategies to safeguard their data and operations.
Key Findings
1. Rise in Overprivileged Service Accounts
The report underscores a worrying shift in cyberattacks targeting overprivileged service accounts. Nearly 46.4% of flagged cloud security incidents in the latter half of 2024 stemmed from attackers exploiting these accounts to move laterally within systems, amplifying the potential damage.
Critical Insights:
- Service account mismanagement remains a leading risk.
- Weak credentials and misconfigurations are still common entry points.
- Attackers are increasingly using compromised accounts for extensive infiltration.
2. Identity as the New Perimeter
The boundary of cybersecurity has shifted from traditional networks to identity-based systems, particularly in hybrid and multi-cloud environments. Threat actors are exploiting compromised credentials and employing techniques such as:
- SIM swapping
- Phishing and social engineering
- Multifactor Authentication (MFA) fatigue attacks
These tactics allow cybercriminals to bypass authentication systems, gain persistent access, and orchestrate larger attacks across cloud and on-premises infrastructures.
3. Database Vulnerabilities and Exploits
Databases have become primary targets for attackers due to their treasure troves of sensitive information. Vulnerabilities such as open ports, weak passwords, and unpatched systems are being exploited with increasing sophistication.
A notable campaign in 2024 involved the Kinsing malware, which targeted publicly exposed PostgreSQL databases. Threat actors leveraged brute-force attacks and advanced tactics to extract data and even engage in cryptocurrency mining.
4. Ransomware Adaptability
The report highlights the rise of ransomware-as-a-service (RaaS) models, where cybercriminals employ readily available tools to maximize impact while evading detection. The group UNC2165, linked to infamous ransomware operations, transitioned to widely used ransomware families like RANSOMHUB and LOCKBIT to obscure their identities.
Key Trends:
- Increased deployment of RaaS offerings.
- Threat actors are leveraging cloud platforms to host stolen data and extort victims.
- The growing prevalence of data leak sites (DLS) amplifies the exposure of sensitive information.
5. Cloud Hijacking for Cryptocurrency Mining
Groups such as TRIPLESTRENGTH are hijacking cloud accounts to run cryptocurrency mining operations. Using stolen credentials, these actors exploit cloud services, bypass security measures, and generate substantial profits.
Recommendations for Enhanced Cloud Security
To counter the evolving threat landscape, the report offers actionable mitigation strategies:
Identity Protection
- Enforce phishing-resistant MFA and consider passwordless authentication methods.
- Regularly review identity policies and enforce the principle of least privilege.
Database Security
- Monitor and secure open ports and weak credentials.
- Enable logging and monitoring to detect brute-force attacks and unauthorized access.
- Use Virtual Private Cloud (VPC) service controls for enhanced data protection.
Ransomware Defense
- Regularly review user permissions and restrict excessive access.
- Leverage Google Security Command Center (SCC) for proactive threat detection.
- Establish a robust backup strategy to ensure disaster recovery capabilities.
Cloud Account Safeguards
- Implement mandatory MFA to minimize the risk of account takeovers.
- Monitor for unusual spending patterns to detect unauthorized use.
- Utilize automated alert systems to identify sensitive account activity.
The Road Ahead
As the report highlights, cloud environments face a rapidly evolving threat landscape where attackers refine their tactics to exploit vulnerabilities and evade detection. By prioritizing identity security, database protection, and proactive threat detection, organizations can strengthen their defenses and mitigate risks effectively.
