Tuesday 07 July 2026 05:49:05 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Cloud, SaaS & Identity Security

Cloud of Danger: How Weak Credentials and Misconfigurations Threaten the Backbone of Modern Infrastructure

Published: 10 March 2026 17:40Category: Cloud, SaaS & Identity SecurityAuthor: SECPULSE

Subtitle: Identity gaps and cloud missteps open the door to cybercriminals targeting critical systems, Google Cloud warns.

It’s a digital arms race in the cloud, and critical infrastructure is caught in the crossfire. As organizations race to modernize, fresh data from Google Cloud reveals that many are still tripping over old security mistakes-leaving the digital doors wide open for increasingly sophisticated attackers. The stakes? Not just data, but the power grids, recovery systems, and financial lifelines that keep the world running.

Fast Facts

  • 47.1% of cloud security incidents traced to weak or absent credentials in H1 2025.
  • Misconfigurations accounted for 29.4% of initial cloud compromises, with APIs/UI at 11.8%.
  • Attackers now routinely abuse legitimate cloud services to hide malware and evade detection.
  • Ransomware gangs increasingly target backup and recovery platforms to cripple organizations’ ability to recover.
  • Google Cloud recommends isolated recovery environments and continuous monitoring for resilience.

While attackers are refining their techniques, defenders seem stuck in a loop of basic errors. According to Google Cloud’s ‘Cloud Threat Horizons Report H2 2025,’ nearly half of all observed cloud breaches began with weak or missing credentials-passwords that are easy to guess, or worse, posted online for all to see. Misconfigurations, like leaving storage buckets open to the public or neglecting to restrict API access, remain a close second.

Threat actors, including financially motivated ransomware groups and state-backed spies, are exploiting these gaps in ever more cunning ways. Google’s analysts describe attackers leveraging stolen session cookies to bypass multifactor authentication, using cloud storage to host decoy files that trigger malware, and moving laterally within networks to steal even more access keys and sensitive data.

The arms race is evolving. Google notes a worrying uptick in attackers leveraging leaked credentials found on dark web forums-representing an urgent risk that simple password resets won’t fix. Even as misconfiguration and API attack rates dipped slightly compared to late 2024, credential-based attacks are absorbing the slack, underscoring the need for rapid detection and automated defense mechanisms.

The threat doesn’t end at initial compromise. Ransomware crews like UNC2165, UNC4393, and UNC2465 have been observed targeting not just production data, but backup systems and disaster recovery environments. Their aim: wipe out an organization’s last lifeline, prolonging downtime and maximizing extortion leverage. Google’s report details how these attacks disrupt not only data, but fundamental services like DNS, Active Directory, and virtualization platforms-turning recovery into a logistical nightmare.

In response, Google Cloud is pushing for a fundamental shift in security architecture: isolated, cloud-native recovery environments that keep backups immutable and separated from production networks. Coupled with continuous monitoring, strict identity controls, and AI-driven threat detection, this “defense in depth” could mean the difference between a quick recovery and catastrophic business paralysis.

But the biggest lesson may be cultural. Google advocates for a “shared fate” model, urging utilities, data centers, and cloud providers to break down silos and collaborate on security, recognizing that a single weak link can jeopardize everyone.

As the cloud becomes the new battleground for critical infrastructure, organizations can no longer afford to treat security as an afterthought. The threats are evolving-and so must our defenses, before the next breach takes the lights out for good.

WIKICROOK

  • Identity and Access Management (IAM): Identity and Access Management (IAM) uses tools and policies to control who or what can access digital resources, ensuring only authorized users gain entry.
  • Misconfiguration: Misconfiguration is a setup error in systems or software that leaves them vulnerable to cyberattacks, like accidentally leaving a door unlocked.
  • Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.
  • Cloud Isolated Recovery Environment (CIRE): A CIRE is a secure, isolated cloud environment for storing critical backups, enabling safe data recovery after cyberattacks like ransomware.
  • Session Cookie: A session cookie is a temporary file in your browser that keeps you logged into a website; if stolen, it can let others access your account.