Google Cloud’s latest Threat Horizons report is out, and it paints a picture that should make every CISO pay attention. The report, published as part of Google’s Cloud CISO Perspectives series, identifies the most pressing threats targeting cloud infrastructure and spells out what defenders should prioritize. No fluff. Just hard data from Google’s threat intelligence teams.
The core message: attackers aren’t breaking down the front door. They’re walking through it with stolen credentials.
Credential Compromise Remains the Top Attack Vector
This won’t shock seasoned security professionals, but the data reinforces what many have suspected. Weak or stolen credentials continue to be the primary way adversaries gain initial access to cloud environments. According to the report, over-privileged service accounts and a lack of multi-factor authentication (MFA) are the most exploited gaps. Google’s Threat Intelligence Group and Mandiant both contributed findings to the report, lending serious weight to the conclusions.
And it’s not just external attackers. Misconfigurations by internal teams — granting excessive permissions, failing to rotate keys, leaving service accounts exposed — create openings that threat actors are happy to exploit. The report specifically flags service account key abuse as a persistent problem. Organizations keep generating long-lived credentials when short-lived alternatives exist. It’s a solvable problem that too many teams ignore.
So what’s driving this? Part of it is complexity. Cloud environments grow fast. Teams spin up resources, assign permissions on the fly, and move on to the next sprint. Security hygiene gets deprioritized. The Threat Horizons report makes clear that this operational debt is exactly what adversaries count on.
Google also highlighted that cryptomining remains a dominant post-compromise activity. Once attackers gain access — often through those same weak credentials — they deploy mining operations that can rack up massive compute bills before anyone notices. The report notes that in many observed incidents, compromised cloud instances were used for cryptomining within 22 seconds of exploitation. Twenty-two seconds. That’s faster than most alerting pipelines can respond.
Misconfiguration and the Human Factor
Beyond credentials, the report zeroes in on misconfigurations as a systemic issue. Publicly exposed storage buckets, overly permissive firewall rules, and unmonitored API endpoints all made the list. These aren’t novel attack surfaces — they’ve been documented for years — but the frequency with which they appear in real-world breaches suggests the industry still hasn’t internalized the lessons.
One particularly notable finding: attackers are increasingly targeting cloud-native services directly. Not just VMs. Think serverless functions, managed databases, and identity platforms. As organizations adopt more managed services, the attack surface shifts. Defenders need to shift with it.
The human factor looms large throughout the report. Phishing campaigns tailored to cloud administrators. Social engineering aimed at extracting access tokens. Insider threats, both malicious and accidental. Google’s data suggests that organizations investing in security awareness training specifically for cloud operations teams see measurably better outcomes. But most training programs still treat cloud security as an afterthought bolted onto general cybersecurity curricula.
Phil Venables, Google Cloud’s CISO, framed the report’s findings in the broader context of organizational risk. His commentary in the Cloud CISO Perspectives blog post emphasizes that security teams need to adopt a continuous improvement mindset rather than treating cloud security as a one-time configuration exercise. The threats evolve. Defenses must too.
Google recommends several concrete steps: enforce MFA everywhere, audit service account permissions regularly, implement least-privilege access models, and enable logging across all cloud services. Basic stuff. But the gap between knowing what to do and actually doing it at scale remains enormous.
The report also touches on state-sponsored activity targeting cloud infrastructure, though specifics are limited. Mandiant’s ongoing tracking of APT groups — particularly those linked to North Korea and Russia — confirms that nation-state actors are actively probing cloud environments for intelligence collection and operational disruption. This isn’t hypothetical. It’s happening now, across industries and geographies.
For security leaders, the takeaway is straightforward. The threats haven’t fundamentally changed. Credentials. Misconfigurations. Human error. What has changed is the speed and scale at which attackers operate. And the consequences of inaction keep getting more expensive.
Read the full report through Google Cloud’s security blog. If you’re responsible for cloud infrastructure, it should be required reading for your team this week.


WebProNews is an iEntry Publication