Google Cloud Security has released its H1 2025 Threat Horizons Report. This iteration of the report provides cloud security professionals with a deeper understanding of the threat with intelligence and actionable risk mitigations from Google’s security experts.
Cloud environments are facing an evolving threat from threat actors prioritising data exfiltration, exploiting identity as the new perimeter, and adapting tactics to evade detection and attribution. Ransomware and data threats in the cloud are not new. In February 2024, Google Cloud security and intelligence experts exposed trends in the Threat Horizons Report, including threat actors prioritising data exfiltration over encryption and exploiting server-side vulnerabilities.
Google’s experts cited ransomware and data theft incidents or associated risks in cloud environments in the ten previous Threat Horizons Reports. Despite the ongoing presence of ransomware and data theft risks, the trends Google observed in the last half of 2024 reveal a concerning shift. Threat actors are not only refining their tactics, techniques, and procedures within cloud environments, but they are also becoming more adept at obscuring their identities.
This evolution makes it harder for defenders to counter their attacks and increases the likelihood of ransom payments. Recognising our shared fate in defending against evolving cloud threats, this updated Google Cloud Threat Horizons Report delivers timely analysis and actionable mitigations for the recent ransomware and data theft trends that our security and threat intelligence experts have identified and are disrupting in the current threat landscape, including:
- Risks to service accounts: Google Cloud research shows that over-privileged service accounts and lateral movement tactics are increasingly significant threats, even though credential and misconfiguration issues remain common for initial access;
- Identity exploitation: Compromised user identities in hybrid environments can lead to persistent access and lateral movement between on-premises and cloud environments, subsequently resulting in multifaceted extortion;
- Cloud databases are under attack: Threat actors are actively exploiting vulnerabilities and weak credentials to access sensitive information;
- Increased adaptability: Threat actors are leveraging Ransomware-as-a-Service offerings and adjusting tactics to evade detection and attribution;
- Diversified attack methods: A threat actor group we track as TRIPLESTRENGTH uses privilege escalation, including charging against victim billing accounts to maximise profits from compromised accounts; and
- Threat actors are using increasingly sophisticated tactics to steal data and extort organisations in the cloud: Threat actors are using multifactor authentication bypass in cloud-based services to compromise accounts and aggressive communication strategies with victims to maximise their profits.
To stay ahead of the curve in 2025, a robust cloud security strategy must prioritise data exfiltration and identity protection. The updated report provides cloud security decision-makers with the latest intelligence on threat actor tactics and actionable mitigations to better inform cloud data security strategies.
You can read the full report here.
