Google Cloud | Breaking Cybersecurity News | The Hacker News

The threat actor known as PCPJack has hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure to create a covert SMTP email relay network. "Compromised business servers across the U.S., Europe, and Asia were quietly converted into SMTP proxies, verified for mail relay capability, and synced to a downstream consumer every five minutes," Hunt.io said in a statement. "The infrastructure was still running when we found it." The threat intelligence company said it found source code, compiled binaries, deployment state logs, internet scanners, exploitation tooling, and a live Sliver configuration after the threat actor behind the operation left two open directories on a command-and-control (C2) server ("213.136.80[.]73") without any authentication. PCPJack was first discovered by SentinelOne in April 2026 after it identified a credential theft framework that specifically targets cloud services, while taking s...

Cybersecurity researchers have disclosed a security "blind spot" in Google Cloud's Vertex AI platform that could allow artificial intelligence (AI) agents to be weaponized by an attacker to gain unauthorized access to sensitive data and compromise an organization's cloud environment. According to Palo Alto Networks Unit 42, the issue relates to how the Vertex AI permission model can be misused by taking advantage of the service agent 's excessive permission scoping by default. "A misconfigured or compromised agent can become a 'double agent' that appears to serve its intended purpose, while secretly exfiltrating sensitive data, compromising infrastructure, and creating backdoors into an organization's most critical systems," Unit 42 researcher Ofir Shaty said in a report shared with The Hacker News. Specifically, the cybersecurity company found that the Per-Project, Per-Product Service Agent ( P4SA ) associated with a deployed AI agent ...

Cybersecurity researchers have disclosed nine cross-tenant vulnerabilities in Google Looker Studio that could have permitted attackers to run arbitrary SQL queries on victims' databases and exfiltrate sensitive data within organizations' Google Cloud environments. The shortcomings have been collectively named LeakyLooker by Tenable. There is no evidence that the vulnerabilities were exploited in the wild. Following responsible disclosure in June 2025, the issues have been addressed by Google. The list of security flaws is as follows - Cross Tenant Unauthorized Access - Zero-Click SQL Injection on Database Connectors Cross Tenant Unauthorized Access - Zero-Click SQL Injection Through Stored Credentials Cross Tenant SQL Injection on BigQuery Through Native Functions Cross-Tenant Data Sources Leak With Hyperlinks Cross Tenant SQL injection on Spanner and BigQuery Through Custom Queries on a Victim’s Data Source Cross Tenant SQL Injection on BigQuery and Spanner Through...

The North Korean threat actor known as UNC4899 is suspected to be behind a sophisticated cloud compromise campaign targeting a cryptocurrency organization in 2025 to steal millions of dollars in cryptocurrency. The activity has been attributed with moderate confidence to the state-sponsored adversary, which is also tracked under the cryptonyms Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor.  "This incident is notable for its blend of social engineering, exploitation of personal-to-corporate device peer-to-peer data (P2P) transfer mechanisms, workflows, and eventual pivot to the cloud to employ living-off-the-cloud (LOTC) techniques," the tech giant noted in its H1 2026 Cloud Threat Horizons Report shared with The Hacker News. Upon gaining access to the cloud environment, the attackers are said to have abused legitimate DevOps workflows to harvest credentials, break out of the confines of containers, and tamper with Cloud SQL databases to facilitate the cryptocu...

New research has found that Google Cloud API keys, typically designated as project identifiers for billing purposes, could be abused to authenticate to sensitive Gemini endpoints and access private data. The findings come from Truffle Security, which discovered nearly 3,000 Google API keys (identified by the prefix "AIza") embedded in client-side code to provide Google-related services like embedded maps on websites. "With a valid key, an attacker can access uploaded files, cached data, and charge LLM-usage to your account," security researcher Joe Leon said , adding the keys "now also authenticate to Gemini even though they were never intended for it." The problem occurs when users enable the Gemini API on a Google Cloud project (i.e., Generative Language API), causing the existing API keys in that project, including those accessible via the website JavaScript code, to gain surreptitious access to Gemini endpoints without any warning or notice. Th...

Google on Wednesday disclosed that it worked with industry partners to disrupt the infrastructure of a suspected China-nexus cyber espionage group tracked as UNC2814 that breached at least 53 organizations across 42 countries. "This prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas," Google Threat Intelligence Group (GTIG) and Mandiant said in a report published today. UNC2814 is also suspected to be linked to additional infections in more than 20 other nations. The tech giant, which has been tracking the threat actor since 2017, has been observed using API calls to communicate with software-as-a-service (SaaS) apps as command-and-control (C2) infrastructure. The idea, it added, is to disguise their malicious traffic as benign. Central to the hacking group's operations is a novel backdoor dubbed GRIDTIDE that abuses Google Sheets API as a communication ...

Cybersecurity researchers have disclosed details of a phishing campaign that involves the attackers impersonating legitimate Google-generated messages by abusing Google Cloud's Application Integration service to distribute emails. The activity, Check Point said, takes advantage of the trust associated with Google Cloud infrastructure to send the messages from a legitimate email address ("noreply-application-integration@google[.]com") so that they can bypass traditional email security filters and have a better chance of landing in users' inboxes. "The emails mimic routine enterprise notifications such as voicemail alerts and file access or permission requests, making them appear normal and trustworthy to recipients," the cybersecurity company said . Attackers have been observed sending 9,394 phishing emails targeting approximately 3,200 customers over a 14-day period observed in December 2025, with the affected organizations located in the U.S., Asia-Pac...

As machine identities explode across cloud environments, enterprises report dramatic productivity gains from eliminating static credentials. And only legacy systems remain the weak link. For decades, organizations have relied on static secrets, such as API keys, passwords, and tokens, as unique identifiers for workloads. While this approach provides clear traceability, it creates what security researchers describe as an "operational nightmare" of manual lifecycle management, rotation schedules, and constant credential leakage risks. This challenge has traditionally driven organizations toward centralized secret management solutions like HashiCorp Vault or CyberArk, which provide universal brokers for secrets across platforms. However, these approaches perpetuate the fundamental problem: the proliferation of static secrets requiring careful management and rotation. "Having a workload in Azure that needs to read data from AWS S3 is not ideal from a security perspective...

Cloudflare on Tuesday said it automatically mitigated a record-setting volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps). "Over the past few weeks, we've autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps," the web infrastructure and security company said in a post on X. "The 11.5 Tbps attack was a UDP flood that mainly came from Google Cloud." The entire attack lasted only about 35 seconds, with the company stating its "defenses have been working overtime." Volumetric DDoS attacks are designed to overwhelm a target with a tsunami of traffic, causing the server to slow down or even fail. These attacks typically result in network congestion, packet loss, and service disruptions. Such attacks are often conducted by sending the requests from botnets that are already under the control of the threat actors after having infected t...

The North Korea-linked threat actor known as UNC4899 has been attributed to attacks targeting two different organizations by approaching their employees via LinkedIn and Telegram. "Under the guise of freelance opportunities for software development work, UNC4899 leveraged social engineering techniques to successfully convince the targeted employees to execute malicious Docker containers in their respective workstations," Google's cloud division said [PDF] in its Cloud Threat Horizons Report for H2 2025. UNC4899 overlaps with activity tracked under the monikers Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor. Active since at least 2020, the state-sponsored actor is known for its targeting of cryptocurrency and blockchain industries. Notably, the hacking group has been implicated in significant cryptocurrency heists , including that of Axie Infinity in March 2022 ($625 million), DMM Bitcoin in May 2024 ($308 million), and Bybit in February 2025 ($1.4 billion). ...

Google Cloud's Mandiant Consulting has revealed that it has witnessed a drop in activity from the notorious Scattered Spider group, but emphasized the need for organizations to take advantage of the lull to shore up their defenses. "Since the recent arrests tied to the alleged Scattered Spider (UNC3944) members in the U.K., Mandiant Consulting hasn't observed any new intrusions directly attributable to this specific threat actor," Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, told The Hacker News in a statement. "This presents a critical window of opportunity that organizations must capitalize on to thoroughly study the tactics UNC3944 wielded so effectively, assess their systems, and reinforce their security posture accordingly." Carmakal also warned businesses not to "let their guard down entirely," as other threat actors like UNC6040 are employing similar social engineering tactics as Scattered Spider to breach target netwo...

Detecting leaked credentials is only half the battle. The real challenge—and often the neglected half of the equation—is what happens after detection. New research from GitGuardian's State of Secrets Sprawl 2025 report reveals a disturbing trend: the vast majority of exposed company secrets discovered in public repositories remain valid for years after detection, creating an expanding attack surface that many organizations are failing to address. According to GitGuardian's analysis of exposed secrets across public GitHub repositories, an alarming percentage of credentials detected as far back as 2022 remain valid today: "Detecting a leaked secret is just the first step," says GitGuardian's research team. "The true challenge lies in swift remediation." Why Exposed Secrets Remain Valid This persistent validity suggests two troubling possibilities: either organizations are unaware their credentials have been exposed (a security visibility problem),...

Google is making the biggest ever acquisition in its history by purchasing cloud security company Wiz in an all-cash deal worth $32 billion. "This acquisition represents an investment by Google Cloud to accelerate two large and growing trends in the AI era: improved cloud security and the ability to use multiple clouds (multicloud)," the tech giant said today. It added the acquisition, which is subject to regulatory approvals, is meant to provide customers with a "comprehensive security platform" that secures modern IT environments.  Google Cloud CEO Thomas Kurian said by bringing its cloud offerings and Wiz together, the move will "spur the adoption of multicloud cybersecurity, the use of multicloud, and competition and growth in cloud computing." Wiz CEO Assaf Rappaport said it will remain an independent multicloud platform even after the deal is closed, and that it will work with other cloud companies like Amazon Web Services (AWS), Microsoft A...

Google Cloud has announced quantum-safe digital signatures in Google Cloud Key Management Service ( Cloud KMS ) for software-based keys as a way to bulletproof encryption systems against the threat posed by cryptographically-relevant quantum computers. The feature, currently in preview, coexists with the National Institute of Standards and Technology's (NIST) post-quantum cryptography (PQC) standards, the final versions of which were formalized in August 2024. "Our Cloud KMS PQC roadmap includes support for the NIST post-quantum cryptography standards (FIPS 203, FIPS 204, FIPS 205, and future standards), in both software (Cloud KMS) and hardware (Cloud HSM)," the company's cloud division noted . "This can help customers perform quantum-safe key import and key exchange, encryption and decryption operations, and digital signature creation." The tech giant said its underlying software implementations of these standards – FIPS 203 (aka ML-KEM), FIPS 204 ...

Google on Wednesday shed light on a financially motivated threat actor named TRIPLESTRENGTH for its opportunistic targeting of cloud environments for cryptojacking and on-premise ransomware attacks. "This actor engaged in a variety of threat activity, including cryptocurrency mining operations on hijacked cloud resources and ransomware activity," the tech giant's cloud division said in its 11th Threat Horizons Report . TRIPLESTRENGTH engages in a trifecta of malicious attacks, including illicit cryptocurrency mining, ransomware and extortion, and advertising access to various cloud platforms, such as Google Cloud, Amazon Web Services, Microsoft Azure, Linode, OVHCloud, and Digital Ocean, to other threat actors. Initial access to target cloud instances is facilitated by means of stolen credentials and cookies, some of which originate from Raccoon information stealer infection logs. The hijacked environments are then abused to create compute resources for mining cryp...

As many as six security vulnerabilities have been disclosed in the popular Rsync file-synchronizing tool for Unix systems, some of which could be exploited to execute arbitrary code on a client. "Attackers can take control of a malicious server and read/write arbitrary files of any connected client," the CERT Coordination Center (CERT/CC) said in an advisory. "Sensitive data, such as SSH keys, can be extracted, and malicious code can be executed by overwriting files such as ~/.bashrc or ~/.popt." The shortcomings, which comprise heap-buffer overflow, information disclosure, file leak, external directory file-write, and symbolic-link race condition, are listed below - CVE-2024-12084 (CVSS score: 9.8) - Heap-buffer overflow in Rsync due to improper checksum length handling CVE-2024-12085 (CVSS score: 7.5) - Information leak via uninitialized stack contents CVE-2024-12086 (CVSS score: 6.1) - Rsync server leaks arbitrary client files CVE-2024-12087 (CVSS ...

Google's cloud division has announced that it will enforce mandatory multi-factor authentication (MFA) for all users by the end of 2025 as part of its efforts to improve account security. "We will be implementing mandatory MFA for Google Cloud in a phased approach that will roll out to all users worldwide during 2025," Mayank Upadhyay, vice president of engineering and distinguished engineer at Google Cloud, said in a statement. "To ensure a smooth transition, Google Cloud will provide advance notification to enterprises and users along the way to help plan MFA deployments." The rollout process is scheduled to take place over three stages, starting from this month and until the end of 2025 - Phase 1 (Starting November 2024), when administrators will be provided information to prepare for the security upgrade  Phase 2 (Early 2025), when Google will begin requiring MFA for all new and existing Google Cloud users who sign in with a password Phase 3 (En...

Cybersecurity researchers have disclosed a privilege escalation vulnerability impacting Google Cloud Platform's Cloud Functions service that an attacker could exploit to access other services and sensitive data in an unauthorized manner. Tenable has given the vulnerability the name ConfusedFunction. "An attacker could escalate their privileges to the Default Cloud Build Service Account and access numerous services such as Cloud Build, storage (including the source code of other functions), artifact registry and container registry," the exposure management company said in a statement. "This access allows for lateral movement and privilege escalation in a victim's project, to access unauthorized data and even update or delete it." Cloud Functions refers to a serverless execution environment that allows developers to create single-purpose functions that are triggered in response to specific Cloud events without the need to manage a server or update frame...

A Latin America (LATAM)-based financially motivated actor codenamed FLUXROOT has been observed leveraging Google Cloud serverless projects to orchestrate credential phishing activity, highlighting the abuse of the cloud computing model for malicious purposes. "Serverless architectures are attractive to developers and enterprises for their flexibility, cost effectiveness, and ease of use," Google said in its biannual Threat Horizons Report [PDF] shared with The Hacker News. "These same features make serverless computing services for all cloud providers attractive to threat actors, who use them to deliver and communicate with their malware, host and direct users to phishing pages, and to run malware and execute malicious scripts specifically tailored to run in a serverless environment." The campaign involved the use of Google Cloud container URLs to host credential phishing pages with the aim of harvesting login information associated with Mercado Pago, an onli...

New cybersecurity research has found that command-line interface (CLI) tools from Amazon Web Services (AWS) and Google Cloud can expose sensitive credentials in build logs, posing significant risks to organizations. The vulnerability has been codenamed  LeakyCLI  by cloud security firm Orca. "Some commands on Azure CLI, AWS CLI, and Google Cloud CLI can expose sensitive information in the form of environment variables, which can be collected by adversaries when published by tools such as GitHub Actions," security researcher Roi Nisimi  said  in a report shared with The Hacker News. Microsoft has since  addressed  the issue as part of security updates released in November 2023, assigned it the CVE identifier CVE-2023-36052 (CVSS score: 8.6). The idea, in a nutshell, has to do with how the CLI commands such as could be used to show (pre-)defined environment variables and output to Continuous Integration and Continuous Deployment (CI/CD) logs. A list of ...