The digital threat landscape is evolving at an alarming rate. According to Google's latest Cloud Threat Horizons Report, published in March 2026, cybercriminals are now leveraging artificial intelligence to accelerate attacks, compressing the time between vulnerability disclosure and mass exploitation from weeks to just days. This shift demands an equally rapid response from businesses of all sizes.

The report, compiled by Google Cloud Security's team of investigators and engineers, covers observations from the second half of 2025. It highlights a stark reality: while core cloud infrastructure from providers like Google Cloud, Amazon Web Services, and Microsoft Azure remains well-protected, attackers have shifted their focus to weaker targets: third-party software, identity systems, and insider threats. The result is a new breed of faster, more sophisticated, and more damaging cloud attacks.

The speed of exploitation is accelerating

Perhaps the most alarming finding in the report is the dramatic collapse in the time it takes for a publicly disclosed vulnerability to be weaponized. Google's security teams observed that the window between vulnerability disclosure and mass exploitation fell by an order of magnitude, from weeks to days. In some cases, attacks began within 48 hours of a public disclosure.

One example involves a critical remote code execution (RCE) vulnerability in React Server Components, a widely used JavaScript library for building user interfaces. The vulnerability, designated CVE-2025-55182 and nicknamed React2Shell, was exploited within two days of its disclosure. Attackers wasted no time in targeting unpatched applications.

Another case centered on a vulnerability in the XWiki Platform (CVE-2025-24893). This bug was patched in June 2024, but many organizations failed to apply the update promptly. By November 2025, crypto-mining gangs and other threat actors began exploiting it at scale. The report underscores that patching delays are a primary enabler of these attacks.

Third-party code: The new attack vector

Today's cloud attacks rarely target the core infrastructure of major providers. Instead, threat actors – including criminal gangs and state-sponsored groups, notably from North Korea – are exploiting vulnerabilities in third-party code and open-source components that run on top of these platforms. The report details several such incidents, with victims anonymized but the tactics clearly described.

One incident involved a state-sponsored group known as UNC4899, believed to be from North Korea. The attackers targeted a developer with a malicious archive file disguised as an open-source collaboration project. The developer, lured by a fake collaboration request, downloaded the file onto his personal device and then transferred it to his corporate workstation via Apple's AirDrop. Using an AI-assisted integrated development environment (IDE), he interacted with the archive, eventually executing embedded malicious Python code. That code spawned a binary masquerading as the Kubernetes command-line tool, which beaconed back to attacker-controlled domains, giving UNC4899 a foothold into the corporate network. From there, the group took over Kubernetes workloads to steal millions of dollars in cryptocurrency.

Another incident began with a compromised Node Package Manager (npm) package. The package stole a developer's GitHub token, which was then used to access an Amazon Web Services account. The attackers exfiltrated files from an AWS S3 bucket and then deleted the originals. This entire operation unfolded within 72 hours.

Identity attacks: The preferred method

Brute-force attacks on weak passwords are increasingly being replaced by more sophisticated identity-based attacks. Google's report found that 21% of incidents involved compromised trusted relationships with third parties, and another 21% involved stolen human and non-human identities (such as API keys and service accounts). Voice-based social engineering (vishing) was used in 17% of cases, and email phishing in 12%. Improperly configured application and infrastructure assets accounted for 7% of incidents.

The report also highlights the growing problem of malicious insiders. Employees, contractors, consultants, and interns are increasingly using consumer-focused cloud storage services like Google Drive, Dropbox, Microsoft OneDrive, and Apple iCloud to exfiltrate data. Google Cloud Security describes this as "the most rapidly growing means of exfiltrating data from an organization."

What's more, attackers are often patient. The report notes that 45% of intrusions resulted in data theft without immediate extortion attempts, characterized by prolonged dwell times and stealthy persistence. This means businesses may be compromised for weeks or months before realizing it.

Why AI-powered defenses are essential

Google's report explicitly states that the best defense against AI-powered attacks is AI-augmented defenses. Automated systems can detect unusual activity, identify potential threats more quickly than human analysts, and respond in real time. The report recommends that organizations turn to more automatic defenses, including AI-driven anomaly detection and automated incident response.

For large enterprises with dedicated security teams, the report offers detailed advice tailored to Google Cloud customers and general guidance for multi-cloud environments. However, small and medium-sized businesses (SMBs) often lack such resources. The report's recommendations can be distilled into four actionable steps for SMBs.

Step 1: Step up your patching game

With exploitation windows shrinking to days, businesses must ensure all software applications are automatically updated. This includes not only operating systems and databases but also third-party libraries, open-source components, and even tools used by development teams. Implementing automated patch management solutions that apply critical updates within hours of release is essential.

Consider the React2Shell vulnerability: the attacks began within 48 hours of disclosure. A business that manually reviews and schedules patches could easily miss that window. Automated patching removes human delays and ensures protection is applied quickly.

Step 2: Strengthen Identity and Access Management (IAM)

The shift toward identity-based attacks underscores the importance of robust IAM practices. Multi-factor authentication (MFA) should be mandatory for all users, especially those with administrative access. But beyond that, businesses must enforce the principle of least privilege: ensure that users and services have only the permissions they need to perform their tasks, and nothing more.

Regular audits of permissions, monitoring for anomalous access patterns, and adopting zero-trust architectures can significantly reduce the risk of identity compromise. For non-human identities (service accounts, API keys), implement automatic rotation and limit their scope.

Step 3: Monitor the network

Even with strong defenses, some attacks will slip through. Continuous network monitoring is essential to detect unusual activity and data movement. Look for behavioral anomalies: a service account that suddenly accesses an unusual amount of data, a user logging in at odd hours, or large outbound transfers to unknown IPs.

Insider threats can be detected by monitoring for unauthorized transfers to consumer cloud storage services. Additionally, businesses should invest in security information and event management (SIEM) systems that aggregate logs from multiple sources and apply AI-driven analysis to identify subtle patterns that might indicate a breach.

Step 4: Have an incident response plan ready

The first few hours after a breach are critical. Without a tested incident response plan, organizations can waste precious time scrambling to assemble resources. A good plan should include predefined roles and responsibilities, communication protocols, and step-by-step procedures for containment, eradication, and recovery.

Regular tabletop exercises can help ensure the team is familiar with the plan. For SMBs without in-house security expertise, partnering with a managed detection and response (MDR) provider can fill the gap. These providers can offer 24/7 monitoring, forensic analysis, and rapid response capabilities that would otherwise be prohibitively expensive.

The broader context: AI and cybersecurity

The findings from Google's report are part of a larger trend. As artificial intelligence becomes more accessible, both defenders and attackers are leveraging it. Attackers use AI to automate vulnerability scanning, craft more convincing phishing emails, and generate malicious code that can evade traditional signature-based defenses. Defenders, in turn, use AI to analyze vast amounts of data, detect patterns, and automate responses.

The speed of this arms race is unprecedented. Five years ago, the window between vulnerability disclosure and exploitation was measured in weeks or months. Now it's measured in days. This means that traditional approaches to security—where the focus is on manual patching, periodic audits, and reactive incident response—are no longer sufficient. Businesses must embrace a proactive, automated approach.

Furthermore, the targeting of third-party code represents a fundamental shift in the attack surface. Open-source libraries and npm packages are the building blocks of modern cloud applications, but they also introduce risk. The software supply chain has become a prime target, as demonstrated by incidents like the compromised npm package that led to AWS S3 data theft inside 72 hours. Businesses need to implement software composition analysis (SCA) tools to inventory all third-party components and monitor for known vulnerabilities.

Identity-based attacks also reflect a deeper problem: the blurring of traditional network perimeters. With remote work, cloud services, and third-party integrations, the concept of a trusted internal network has largely vanished. Zero-trust architectures, which assume that no user or device is trustworthy by default, are becoming essential.

For SMBs, the challenge is daunting but not insurmountable. The four steps outlined above provide a practical framework. But beyond that, the most important decision is to take action now. Waiting until after an attack is too late; the cost of a breach—in terms of financial loss, reputational damage, and customer trust—far outweighs the investment in prevention.

Google's report makes it clear that the threat is real and accelerating. The question is not whether a business will be targeted, but when. Those that have prepared with automated defenses, strong identity management, network monitoring, and a tested incident response plan will be in a far better position to withstand the storm.

Source: ZDNET News