TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources СLOUD SECURITY CYBERSECURITY OPERATIONS VULNERABILITIES & THREATS IDENTITY & ACCESS MANAGEMENT SECURITY NEWS Most Google Cloud Attacks Start With Bug Exploitation Forget stolen credentials and misconfigurations; AI means vulnerability exploits that beat patching cycles are the top cause of compromises in the cloud. Robert Lemos,Contributing Writer March 13, 2026 4 Min Read SOURCE: ATHAPET PIRUKSA Exploitation of user-managed cloud software has overtaken credential abuse as the method by which most attackers gain initial access to cloud resources. In its semi-annual Cloud Threat Horizons Report, Google found attacks on user-managed software applications — such as the the React2Shell attack targeting a flaw in React Server Components — bested software vulnerabilities to become the most frequently exploited vector for initial access. Overall, "software-based entry," which includes exploiting software vulnerabilities such as remote code execution (RCE) flaws, accounted for about 44% of all initial-access activity in Google Cloud, the company stated in the report. The shift is likely due to the company's focus on secure-by-default strategies and cloud users taking measures to shrink the stolen credentials and misconfiguration attack surfaces, says Crystal Lister, a security advisor in the Office of the CISO at Google Cloud. Related:'InstallFix' Attacks Spread Fake Claude Code Sites "As defenders address some of the initial, enduring cloud hygiene issues, attackers are being forced to focus on more sophisticated, automated paths," she says. "It isn’t necessarily that companies are cutting corners, but rather that the defensive perimeter has moved. Attackers are now targeting the third-party, user-managed software running on top of the cloud rather than the cloud infrastructure itself." Outside of Google's cloud environments, however, attackers continued to focus on identity and credential weaknesses, with 83% of the initial-access vectors in platform-agnostic incidents investigated by Google Mandiant chalked up to identity. Nearly a third of such attacks came from phishing, a fifth due to compromised trust relationships with third parties, a fifth due to stolen credentials, and malicious insiders and software supply-chain attacks, according to the Google report. Cybersecurity firm Palo Alto Networks found a similar focus, with two-thirds of initial access (65%) tied to identity in some way, according to the firm's Global Incident Response Report 2026. LOADING... "As organizations move deeper into SaaS, cloud and hybrid environments, the network perimeter matters less," the Palo Alto Networks' report stated. "Identity — the linkage between users, machines, services and data — has become the practical perimeter." Fix Identity & Attackers Focus Elsewhere In cases where defenders have done a good job at focusing on credential abuse and misconfiguration, it's not surprising that cyberattackers have changed their focus, says Saumitra Das, vice president of engineering at Qualys. Related:VMware Aria Operations Bug Exploited, Cloud Resources at Risk Exploitation has become easier because of AI-driven vulnerability analysis, penetration testing, and exploit development, he says. "Attackers adapted and increasingly shifted toward exploiting unpatched software," Das says. "That transition has been accelerated by AI-assisted exploitation tools and the near-instant weaponization of newly disclosed CVEs." More than 44% of attacker activity on Google Cloud targeted software vulnerabilities and remote code execution. Source: Google Cloud The shared responsibility model for cloud security means that both partners — the cloud provider and the customer — must keep up their side of the cybersecurity bargain. Unfortunately, all cloud architectures have identity weak points that, if not managed correctly, could be exploited, says Keith Lunden, a manager with the Google Threat Intelligence Group. "We anticipate that threat actors will continue to find and exploit these gaps while evolving their methods through the use of AI," he says. These gaps in security means that most vulnerability exploitation in the cloud tends to focus on infrastructure-as-a-service (IaaS) rather than platform-as-a-service (PaaS), because the greater responsibility for securing infrastructure falls to the customer, not the hyperscaler service, says Qualys' Das. "Edge devices are naturally the first to be exploited, as well as publicly exposed assets such as virtual machines, containers and serverless," he says. Related:AI Agent Overload: How to Solve the Workload Identity Crisis AI Means Time Grows Short for Patching Bugs Attackers' adoption of AI services is a major reason for shifts in the threat landscape. LLMs allow less technically adept attackers to vibe-code well-crafted reconnaissance and exploitation frameworks, resulting in more attackers who can perform somewhat sophisticated attacks, says Qualys's Das. "In the past, defenders often had more time to respond to a vulnerability," he says. "Today, the response window has shrunk to hours — yet most patch management processes were never designed to operate at that speed." For that reason, companies need to take a more aggressive approach to patching. Companies should virtually patch vulnerabilities within 24 hours of a public report, and fully remediate the issue within 72 hours, says Google's Lister. "Defenders should replace manual processes with identity-centric proxies and automated posture enforcement," she says, adding that Google Cloud's Organization Policy services could be used to programmatically block overly permissive firewall rules from ever being created, for example. "In a world where exploitation is measured in hours, our defenses must be as automated as the attacks," she says. About the Author Robert Lemos Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like СLOUD SECURITY Phishing Empire Runs Undetected on Google, Cloudflare by Elizabeth Montalbano, Contributing Writer SEP 04, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 СLOUD SECURITY Can Cybersecurity Weather the Current Economic Chaos? by Robert Lemos, Contributing Writer APR 21, 2025 СLOUD SECURITY Google to Acquire Wiz for $32B in Multicloud Play by Alexander Culafi, Senior News Writer, Dark Reading MAR 18, 2025 Editor's Choice APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ CYBERSECURITY OPERATIONS White House Cyber Strategy Prioritizes Offense byJai Vijayan MAR 9, 2026 5 MIN READ CYBER RISK EU Auto Rules Shift Gears on Cybersecurity Standards byArielle Waldman MAR 6, 2026 5 MIN READ 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the