Cloud-based attacks are frequently linked to weak login details, according to new research.
In a startling revelation, Google Cloud's latest Threat Horizons Report has identified weak or absent credentials as the primary cause of network intrusions in cloud systems during the first half of 2025. This finding accounts for a significant 47.1% of incidents.
The report further highlights that misconfigurations and API/UI compromises follow closely, accounting for 29.4% and 11.8% of incidents respectively. This trend underscores the persistent issue of poor identity governance in cybersecurity, a concern that has been raised by professionals, threat hunters, and incident response firms for years.
The use of legitimate credentials or brute-force attacks to gain initial access has been a common tactic in ransomware attacks. According to cybersecurity firm Mandiant, this approach was used in nearly 40% of the ransomware attacks they responded to last year.
One such instance was the ransomware attack on Change Healthcare, a subsidiary of UnitedHealth Group. The attack used stolen credentials for a Citrix remote access server, with the Citrix portal not having Multi-Factor Authentication (MFA) turned on.
Similarly, in a spree of attacks in April, more than 100 Snowflake customer environments were targeted, resulting in massive data breaches at AT&T, Advance Auto Parts, and Pure Storage, among others. In these cases, Snowflake customers' credentials were obtained from multiple infostealer malware infections on non-Snowflake owned systems.
Interestingly, the number of attacks using weak or no credentials decreased slightly from the second half of 2023 to the first half of 2024. However, misconfigurations increased significantly as an initial access vector for cloud environment attacks during the same period. Misconfigurations were the initial access vector for 30% of all cloud environment attacks in the first half of 2024, a significant increase from the second half of 2023.
Corporate stakeholders are increasingly interested in understanding the risk calculus of their technology stacks, asking the question: "Are we a target?" The findings from Google Cloud's report serve as a stark reminder that the answer to this question often lies in the management of credentials and configurations.
Moreover, a report by IBM X-Force's annual Threat Intelligence Index for 2022 stated that valid account compromises accounted for almost one-third of global cyberattacks last year. Similarly, the Cybersecurity and Infrastructure Security Agency attributed more than half of all attacks on critical infrastructure networks and state and local agencies in 2022 to valid account credentials.
These findings underscore the importance of implementing strong identity governance practices, including the use of strong and unique passwords, regular audits, and the enforcement of least privilege principles. Additionally, the use of MFA and strict configuration controls can significantly reduce the risk of network intrusions.
As we move forward, it is crucial for organisations to prioritise cybersecurity measures, especially in the realm of cloud systems, to protect against these persistent threats.
- The Google Cloud's Threat Horizons Report indicates that the use of weak or absent credentials is the primary cause of network intrusions in cloud systems, accounting for a significant 47.1% of incidents.
- Ransomware attacks often use legitimate credentials or brute-force attacks to gain initial access, a tactic that was used in nearly 40% of the ransomware attacks responded to by Mandiant last year.
- In April 2025, more than 100 Snowflake customer environments were targeted, resulting in massive data breaches, and in these cases, Snowflake customers' credentials were obtained from multiple infostealer malware infections on non-Snowflake owned systems.
- The importance of implementing strong identity governance practices, including the use of strong and unique passwords, regular audits, the enforcement of least privilege principles, and the use of Multi-Factor Authentication (MFA) and strict configuration controls, is emphasized to reduce the risk of network intrusions, particularly in the realm of cloud systems.
