The digital landscape is evolving at a breakneck pace, and nowhere is that more evident than in the realm of cloud security. A new report from Google's security analysts reveals that cybercriminals are leveraging artificial intelligence to find and exploit vulnerabilities faster than ever before. The window between a vulnerability being disclosed and it being used in mass attacks has collapsed from weeks to just days. This speed shift means that businesses of all sizes must rethink their security strategies or risk being caught off guard.

The Speed of Modern Cloud Attacks

Google's Cloud Threat Horizons Report, based on observations from the second half of 2025, paints a stark picture. The core infrastructure of major cloud providers like Google Cloud, Amazon Web Services, and Microsoft Azure remains well fortified. Instead, attackers are targeting weak points in third-party software that businesses rely on every day. These are the plugins, libraries, and open-source tools that often lack the same level of security scrutiny as the main platforms.

One striking example involves a critical remote code execution vulnerability in React Server Components, a widely used JavaScript library. Dubbed React2Shell, this flaw was weaponized within 48 hours of its public disclosure. Another incident centered on the XWiki Platform, where a patch had been available since June 2024 but was not widely deployed. By November 2025, crypto mining gangs were actively exploiting the unpatched vulnerability, demonstrating how slow patching cycles can leave businesses exposed for months.

Perhaps the most dramatic case involves a North Korean state-sponsored group known as UNC4899. They targeted a developer by tricking them into downloading a malicious archive under the guise of an open source collaboration. The developer transferred the file from their personal device to a corporate workstation via Airdrop. Using an AI-assisted development environment, the victim interacted with the archive, unknowingly executing embedded Python code that installed backdoor access. This foothold allowed the attackers to steal millions of dollars in cryptocurrency from Kubernetes workloads. The entire chain of events—from initial lure to data theft—unfolded within 72 hours.

Identity Compromise Takes Center Stage

Another key finding is the shift away from brute-force password attacks toward more sophisticated identity exploitation. The report breaks down the methods: 17% of incidents involved voice-based social engineering (vishing), 12% used email phishing, 21% leveraged compromised trusted relationships with third parties, and another 21% involved stolen human or non-human identities. Misconfigured application and infrastructure assets accounted for 7% of breaches.

These numbers underscore a troubling trend: attackers are increasingly bypassing technical defenses by targeting people and processes. For example, an attacker might call an employee pretending to be from IT support, asking for a one-time passcode. Or they might compromise a vendor's system to gain access to a larger organization. The report also highlights a rise in insider threats, where employees, contractors, or interns intentionally or accidentally send confidential data outside the organization. The most rapidly growing method of data exfiltration is through consumer-focused cloud storage services like Google Drive, Dropbox, and OneDrive—services that are often unmonitored by corporate security teams.

Adding to the challenge, attackers are not always rushing to extort their victims. The report notes that 45% of intrusions resulted in data theft without immediate extortion attempts. These cases are characterized by prolonged dwell times and stealthy persistence, meaning that attackers can lurk inside a network for weeks or months, siphoning data gradually.

Four Steps Businesses Must Take Now

For small and medium-sized businesses without dedicated security teams, the report's general recommendations can be distilled into four actionable items. These are not just technical fixes but strategic approaches that should be integrated into daily operations.

1. Automate Patching and Updates

The first and most critical step is to ensure all software, especially third-party applications, is updated automatically. Manual patching cycles that run monthly or quarterly are no longer sufficient when attackers are exploiting bugs within 48 hours. Businesses should use patch management tools that can push updates as soon as they are released. For open-source components that are not automatically updated, consider using software composition analysis tools to track vulnerabilities.

2. Strengthen Identity and Access Management

Multi-factor authentication (MFA) is no longer optional—it is a baseline requirement. But IAM goes beyond just passwords and MFA. Businesses should implement least-privilege access, ensuring that users and applications have only the permissions they need to perform their tasks. Regularly review and revoke unused accounts, especially those belonging to former employees or contractors. For cloud environments, use identity federation and conditional access policies to restrict access based on location, device, and behavior.

3. Monitor for Unusual Activity

Most attacks exhibit some form of anomalous behavior, whether it's a sudden spike in data downloads, access from an unfamiliar IP address, or unusual file movements. Small businesses can implement simple monitoring tools that alert on these patterns. For insider threats, focus on detecting large-scale exfiltration to personal cloud storage services. Cloud access security brokers (CASBs) can help monitor and control the use of sanctioned and unsanctioned cloud apps.

4. Prepare an Incident Response Plan

When an intrusion occurs, the first few hours are critical. Organizations that have an incident response plan in place can contain the damage far more effectively than those that scramble to assemble resources. The plan should outline steps for isolating affected systems, preserving evidence, notifying stakeholders, and engaging external forensic experts if needed. For small businesses without in-house expertise, pre-negotiating a retainer with a managed security service provider can save precious time.

Why Traditional Defenses Are Falling Short

The rise of AI-powered attacks has fundamentally changed the security landscape. Attackers can now automate vulnerability scanning, craft convincing phishing emails, and even mimic legitimate user behavior to evade detection. Traditional rule-based security tools are struggling to keep up, which is why the report emphasizes the need for AI-augmented defenses. Machine learning models can analyze vast amounts of data in real time, identifying patterns that would be invisible to human analysts.

Businesses should also consider adopting a zero-trust architecture, which assumes that no user or device is inherently trustworthy, even if they are inside the network perimeter. Zero-trust principles, combined with continuous monitoring and adaptive access controls, can significantly reduce the blast radius of a successful attack.

The cloud offers incredible flexibility and scalability, but it also introduces new risks that evolve rapidly. The message from Google's report is clear: attackers are using AI to move faster, so defenders must do the same. By automating patching, strengthening identity controls, monitoring diligently, and having a response plan ready, even small businesses can build a resilient defense. The key is to act now—before the next vulnerability disclosure becomes the next headline.

Source: ZDNET News