惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cloudbric
Cloudbric
有赞技术团队
有赞技术团队
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
T
Threat Research - Cisco Blogs
L
LangChain Blog
Simon Willison's Weblog
Simon Willison's Weblog
Project Zero
Project Zero
Latest news
Latest news
S
Schneier on Security
Cisco Talos Blog
Cisco Talos Blog
MyScale Blog
MyScale Blog
C
Check Point Blog
IT之家
IT之家
P
Palo Alto Networks Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
CERT Recently Published Vulnerability Notes
Scott Helme
Scott Helme
The Hacker News
The Hacker News
C
CXSECURITY Database RSS Feed - CXSecurity.com
G
Google Developers Blog
T
Tor Project blog
T
Threatpost
D
DataBreaches.Net
博客园 - 【当耐特】
酷 壳 – CoolShell
酷 壳 – CoolShell
T
Troy Hunt's Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Vercel News
Vercel News
云风的 BLOG
云风的 BLOG
NISL@THU
NISL@THU
P
Privacy & Cybersecurity Law Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
C
Cisco Blogs
博客园_首页
S
Securelist
T
The Exploit Database - CXSecurity.com
Last Week in AI
Last Week in AI
量子位
U
Unit 42
Know Your Adversary
Know Your Adversary
Hugging Face - Blog
Hugging Face - Blog
S
Security Affairs
Google Online Security Blog
Google Online Security Blog
Hacker News: Ask HN
Hacker News: Ask HN
Webroot Blog
Webroot Blog
S
SegmentFault 最新的问题
Engineering at Meta
Engineering at Meta
N
News and Events Feed by Topic
P
Proofpoint News Feed
阮一峰的网络日志
阮一峰的网络日志

Security & Identity

Introducing k8s-aibom on GKE for automated AI bills of materials | Google Cloud Blog Contributing to U.K. financial sector resilience as a critical third party | Google Cloud Blog Meet the 33 cybersecurity startups joining the Gemini Startup Forum | Google Cloud Blog Drive proactive security, prioritize risks with Google Threat Intelligence and Wiz ASM | Google Cloud Blog Shift into high gear with agents: Securing the software-defined vehicle | Google Cloud Blog New IDC study: How Mandiant transforms security into a competitive advantage | Google Cloud Blog Google Cloud confirmed to offer a safer choice for EU public sector organizations with Dutch DPIA approval | Google Cloud Blog Cloud CISO Perspectives: How Google Cloud Security uses AI internally | Google Cloud Blog Securing agentic AI: What's new in VPC Service Controls | Google Cloud Blog Verifiable trust in the AI era: What’s new in Confidential Computing | Google Cloud Blog Choice, compliance, and collaboration: Europe’s path to open digital sovereignty | Google Cloud Blog Driving the UK’s next chapter: From AI potential to agentic reality | Google Cloud Blog Google named a Leader in IDC MarketScape SIEM 2026 Vendor Assessment | Google Cloud Blog Cloud CISO Perspectives: The 4 lessons that guided AI Threat Defense | Google Cloud Blog Powering the next era of Confidential AI Detecting and containing AI-powered threats with Google Security Operations agents Cloud CISO Perspectives: How to build an AI-ready security program for the public sector Introducing Google AI Threat Defense to help you outpace the adversary Cloud CISO Perspectives: How Google + Wiz changes multicloud strategy for CISOs Why cloud infrastructure is the foundation for digital health in 2026 Beyond source code: The files AI coding agents trust — and attackers exploit What's new in IAM: Security, governance, and runtime defense Google named a Leader in the 2026 Gartner Magic Quadrant for Cyberthreat Intelligence Technologies Introducing Agent Gateway ISV ecosystem for security and governance Cloud CISO Perspectives: At Next ‘26, why we’re multicloud and multi-AI Next ‘26: Redefining security for the AI era with Google Cloud and Wiz | Google Cloud Blog Introducing Google Cloud Fraud Defense, the next evolution of reCAPTCHA | Google Cloud Blog Next ‘26: Announcing new partner-supported workflows for Google Security Operations | Google Cloud Blog Cloud CISO Perspectives: How CISOs can pursue technical and cultural resilience (Q&A) | Google Cloud Blog Essential AI and cloud security now on by default Securing AI inference on GKE with Model Armor A Leader in Forrester Wave Sovereign Cloud Platform 2026 See beyond the IP and secure URLs with Google Cloud NGFW Cloud CISO Perspectives: RSAC: AI, security, and the workforce of the future How to build AI agents with Google-managed MCP servers Bringing dark web intelligence into the AI era RSAC ’26: Supercharging agentic AI defense with frontline threat intelligence IAP integration with Cloud Run Why context is the missing link in AI data security Welcoming Wiz to Google Cloud: Redefining security for the AI era Google named a Leader in IDC MarketScape: U.S. SLG Professional Security Services Introducing the Google Cloud recommended security checklist Cloud CISO Perspectives: How Google approaches critical security topics, from fundamentals to AI Sovereignty and European competitiveness: A partnership-led approach to AI growth Cloud CISO Perspectives: New AI threats report: Distillation, experimentation, and integration Delivering a secure, open, and sovereign digital world Introducing Single-tenant Cloud HSM for more data encryption control Cloud CISO Perspectives: 5 top CISO priorities in 2026
Cloud CISO Perspectives: New Threat Horizons report highlights current cloud threats
Bob Mechler, Crystal Lister · 2026-03-10 · via Security & Identity

Welcome to the first Cloud CISO Perspectives for March 2026. Today, Bob Mechler and Crystal Lister, from Google Cloud’s Office of the CISO, share cloud threat intelligence and analysis from our new Cloud Threat Horizons Report.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

Cloud Threat Horizons: From rapid exploitation to forensic readiness

By Bob Mechler, director, and Crystal Lister, security advisor, Office of the CISO

https://storage.googleapis.com/gweb-cloudblog-publish/images/Bob_Mechler.max-600x600.png

As we become more firmly entrenched in the AI era, the time it takes for defenders to mitigate a vulnerability before threat actors exploit it is shrinking fast. Google Cloud Security observed in the second half of 2025 that the window between a vulnerability disclosure and active exploitation collapsed from weeks to just days. This acceleration, fueled by threat actors using AI-assisted to rapidly probe targets and discover unpatched applications probing, means organizations should move beyond reactive, manual security — as soon as they can.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Crystal_Lister-2.max-2200x2200.jpg

That’s the primary takeaway from our newest Cloud Threat Horizons Report, a biannual publication sharing strategic intelligence and risk recommendations on threats to cloud service providers, from Google Cloud's Office of the CISO, Google Threat Intelligence Group (GTIG), Mandiant Consulting, and other Google Cloud security and product teams.

Third-party software vulnerabilities take the lead
For the first time since we began publishing the CTHR in 2021, we observed a tactical pivot by threat actors. They’re now targeting third-party software vulnerabilities more than weak or missing credentials as the primary initial access vector. These incidents targeted external vulnerabilities in Google Cloud customer environments, but did not involve breaches of Google Cloud’s core infrastructure.

In the second half of 2025, threat actors exploited software-based vulnerabilities (44.5%) more frequently than weak credentials (27.2%), a significant increase from the start of 2025, when software exploitation accounted for less than 3% of incidents.

Sophisticated threat actors are no longer just stealing data; they are sabotaging the evidence... Moving to high-fidelity, tamper-resistant logging is now a regulatory and operational necessity.

We believe that this shift is a sign of defensive progress. Google’s secure-by-default strategy and enhanced credential protections are likely closing traditional paths, forcing threat actors to adopt faster, more automated paths through unpatched applications. We assess that threat actors are increasingly using AI to accelerate the discovery phase, allowing them to identify and exploit vulnerable software at unprecedented speeds.

As part of our shared fate approach to help build resilient cloud foundations through secure configurations and policies, we made available last week a new recommended security controls checklist.

As we look ahead to 2026, our security experts offer four critical insights from the new report:

  1. Collapse of the exploitation window: Attack speeds can now be measured in days. For example, during the React2Shell incident, GTIG observed threat actors deploying cryptocurrency miners within approximately 48 hours of the vulnerability’s public disclosure. Organizations shouldn’t wait for patches to be tested to take action. They should pivot to automated defenses — such as Web Application Firewalls (WAF) — to neutralize exploits at the network edge as soon as possible.
  2. North Korean actors weaponize Kubernetes: The report details a previously undocumented, sophisticated campaign by UNC4899 targeting a cryptocurrency organization. By abusing legitimate DevOps workflows and breaking out of privileged containers, these threat actors stole millions in cryptocurrency. This highlights the critical risk posed by living-off-the-cloud (LOTC) techniques, and the need for strict isolation in cloud runtime environments.
  3. From CI/CD to cloud destruction: We’re also following supply chain infections targeting the CI/CD pipeline. In one case, compromised node package manager package QUIETVAULT allowed threat actors (UNC6426) to abuse OpenID Connect trust relationships, gaining full Amazon Web Services administrator permissions in less than 72 hours. This crown jewel access vector underscores the need for the principle of least privilege in automated pipelines.
  4. Anti-forensic and destructive tactics: Sophisticated threat actors are no longer just stealing data; they are sabotaging the evidence. In late 2025, we continued seeing all major ransomware gangs delete logs, core dumps, and backups to hinder recovery and forensic investigations. Moving to high-fidelity, tamper-resistant logging is now a regulatory and operational necessity.

How CISOs can help organizations adapt
As 2026 unfolds — bringing with it geopolitical unrest and major events such as the FIFA World Cup and U.S. midterm elections — threat actors will continue to exploit the trust gap in cloud platforms. We strongly recommend moving toward automated identity-based controls and forensic readiness to navigate these threats.

For deeper technical analysis on these trends, including granular data on malicious insider behavior and risk management recommendations for Google Cloud and platform-agnostic environments, you can download the full H1 2026 Cloud Threat Horizons report here.

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month:

  • How Google Does It: Applying SRE to cybersecurity: Learn how Google uses Site Reliability Engineering to modernize security operations and deliver value quickly, safely, and securely. Read more.
  • Make security simpler: Introducing the Google Cloud recommended security checklist: Now available is a new recommended controls checklist to help you set configurations and policies when building a resilient cloud foundation. Read more.
  • Cultivating a robust and efficient quantum-safe HTTPS: Announcing a new program in Chrome to make HTTPS certificates secure against quantum computers. Read more.
  • Hybrid FIDO transport goes offline: Building on our previous posts on Hybrid transport covering cross-device passkeys and JSON message support, we're now pivoting to how FIDO's hybrid transport architecture supports the offline world. Read more.

Please visit the Google Cloud blog for more security stories published this month.

Threat Intelligence news

  • 2025 zero-day vulnerabilities in review: Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in the wild in 2025, and found that 48% targeted enterprise technology. For the first time, commercial surveillance vendors overtook state-sponsored actors for attribution. Read more.
  • The mysterious journey of Coruna, a powerful iOS exploit kit: GTIG has identified a new and powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) through version 17.2.1 (released in December 2023). Read more.
  • Disrupting the GRIDTIDE global cyber-espionage campaign: GTIG, Mandiant Threat Defense, and partners have taken action to disrupt a global espionage campaign targeting telecommunications and government organizations in dozens of nations across four continents. Read more.
  • How UNC6201 is exploiting a Dell RecoverPoint for virtual machines zero-day: Mandiant and GTIG have identified zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines by UNC6201, a suspected PRC-nexus threat cluster. Read more.

Please visit the Google Cloud blog for more threat intelligence stories published this month.

Now hear this: Podcasts from Google Cloud

  • Resetting the SOC: Detecting state actors or doing the basics: How does a company’s detection strategy change when the adversary is a state-funded group whose goal might be long-term persistence or subtle data manipulation? Allie Mellen discusses her new book with hosts Anton Chuvakin and Tim Peacock. Listen here.
  • Beyond shadow IT: Unsanctioned AI agents do more than talk: And you thought shadow IT was bad. The threat of shadow agents takes shadow AI, itself an evolution of the IT risk, to the next level. Alastair Paterson, CEO and co-founder, Harmonic Security, joins Anton and Tim to explore the AI risks — and how to secure it effectively. Listen here.
  • Cyber-Savvy Boardroom: From AI theater to measurable business value: Ryan McManus joins hosts Alicja Cade and David Homovich to discuss the shift from simply storing data to using it to actively power your business. More than just theory, we dive into why boards should move toward a cohesive, three-year AI roadmap. Listen here.
  • Behind the Binary: How EtherHiding and frontend attacks are weaponizing the blockchain: Host Josh Stroschein is joined by Robert Wallace, Joseph Dobson, and Blas Kajusner to dissect the new hybrid heist — the era of isolated crypto-theft is over. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in a few weeks with more security-related updates from Google Cloud.

Posted in