The rapid adoption of cloud computing has transformed how businesses operate, but it has also opened new avenues for cybercriminals. A recent report from Google Cloud Security reveals that attackers are now exploiting vulnerabilities with unprecedented speed, reducing the time between disclosure and mass exploitation from weeks to mere days. This alarming trend underscores the need for businesses to adopt proactive, AI-powered defenses.
The New Landscape of Cloud Attacks
According to Google's Cloud Threat Horizons Report for March 2026, the window for patching vulnerabilities has collapsed. In the second half of 2025, attackers began leveraging zero-day exploits and known vulnerabilities almost instantly. The report notes that most attacks no longer target core cloud infrastructure—which is well-protected—but instead focus on unpatched third-party software. This shift forces businesses to manage security across a complex ecosystem of libraries, frameworks, and dependencies.
AI is playing a dual role. While businesses debate its benefits, cybercriminals have embraced it to automate reconnaissance, craft convincing phishing campaigns, and accelerate code exploitation. Google's investigators observed that AI-assisted tools help attackers probe targets faster, making manual defense impossible at scale.
Case Studies: From Disclosure to Exploitation in Hours
The report details several incidents that illustrate the compressed timeline. One involved a critical remote code execution (RCE) vulnerability in React Server Components, known as CVE-2025-55182 or React2Shell. Within 48 hours of public disclosure, attackers began exploiting it to compromise websites and mobile apps. This rapid exploitation is a hallmark of AI-driven scanning.
Another incident targeted an older vulnerability in the XWiki Platform (CVE-2025-24893). Though patched in June 2024, many organizations had not applied the fix. By November 2025, crypto-mining gangs were actively exploiting it, demonstrating that even known vulnerabilities remain dangerous if patching is delayed.
A particularly sophisticated attack involved the North Korean state-sponsored group UNC4899. The attackers tricked a developer into downloading a malicious archive disguised as an open-source project. The developer used a personal device to transfer the file via Airdrop to a corporate workstation. An AI-enhanced integrated development environment then executed embedded Python code, which installed a backdoor masquerading as a Kubernetes command-line tool. This gave the attackers a foothold into the corporate network, leading to a cryptocurrency theft worth millions.
Another example shows how a compromised Node Package Manager (npm) package stole a developer's GitHub token, granting access to Amazon Web Services (AWS). Within 72 hours, attackers extracted files from an S3 bucket and deleted the originals. Such speed is only possible with automated attack chains that exploit trust relationships.
Identity Exploitation: The New Frontier
As brute-force attacks on passwords decline, attackers are turning to identity-based techniques. Google's report reveals that 17% of cases involved voice-based social engineering (vishing), 12% used email phishing, 21% compromised trusted relationships with third parties, and another 21% leveraged stolen human or non-human identities (such as service accounts). Incorrect configuration of application and infrastructure assets accounted for 7% of attacks.
Worryingly, malicious insiders are also a growing threat. Employees, contractors, consultants, and interns are increasingly using consumer cloud storage services like Google Drive, Dropbox, Microsoft OneDrive, and Apple iCloud to exfiltrate data. The report calls this the fastest-growing method of data theft. Attackers are also becoming stealthier: 45% of intrusions resulted in data theft without immediate extortion, with long dwell times designed to maximize damage.
These trends highlight the need for robust identity and access management (IAM) policies. Multi-factor authentication, least-privilege access, and regular audits of non-human identities are essential. Businesses must also monitor for unusual data movement, both from external attackers and insiders.
Four Actionable Steps for Businesses
While Google's report provides detailed guidance for large enterprises on its own platform, small and medium-sized businesses can adopt these four key strategies:
1. Automate Patching and Software Updates
Given that attackers now exploit vulnerabilities within 48 hours, manual patching is no longer sufficient. Businesses should enable automatic updates for all third-party applications, libraries, and dependencies. This includes not only operating systems but also web frameworks, JavaScript libraries, and container images. A centralized patch management tool can ensure consistency across cloud and on-premises environments.
For critical vulnerabilities, organizations should have a process to apply emergency patches before the standard update cycle. The cost of a breach far outweighs the inconvenience of an unscheduled update.
2. Strengthen Identity and Access Management
The shift to identity-based attacks demands a robust IAM framework. This means implementing multi-factor authentication for all users, especially those with administrative privileges. For non-human identities such as service accounts and API keys, enforce short-lived credentials and rotate them frequently. Use just-in-time access for sensitive systems, granting permissions only when needed and revoking them automatically.
Additionally, review third-party integrations carefully. Each connection to a partner or vendor introduces potential risk. Ensure that only necessary data is shared, and access is revoked when no longer required.
3. Monitor Network and Data Movement
Early detection of anomalous activity can stop an attack before it escalates. Deploy network monitoring tools that can flag unusual outbound data transfers, especially to consumer cloud storage. User and entity behavior analytics (UEBA) can help identify insider threats by deviations from normal patterns—for example, a developer suddenly downloading large amounts of data to an external drive.
Cloud security posture management (CSPM) solutions can automatically detect misconfigurations that leave data exposed. Combine these with endpoint detection and response (EDR) to cover both cloud and device‑level threats.
4. Prepare a Detailed Incident Response Plan
When a breach occurs, every minute counts. Having a pre‑defined incident response plan can shave days off containment times. The plan should include clear roles and responsibilities, communication protocols, and step‑by‑step procedures for isolating affected systems, preserving evidence, and notifying stakeholders.
Conduct regular tabletop exercises to test the plan under realistic scenarios. This helps identify gaps and ensures the response team can act quickly when needed. For smaller businesses without dedicated security staff, partnering with a managed security service provider (MSSP) can fill the gap. The choice of provider should be made before an incident, not during one.
The speed of modern cloud attacks leaves no room for complacency. By adopting automated defenses and proactive strategies, businesses can reduce their exposure and respond effectively when threats emerge. The time to act is now, before the next exploit window closes.
Source: ZDNET News