行业研究公司研究宏观策略财报招股书会议纪要 seedance2.0 低空经济 DeepSeek AIGC 大模型

2026年上半年云威胁展望报告

信息技术 2026-02-25 - Google Cloud 大熊

云威胁地平线报告 H1 2026

核心观点与关键数据

威胁行为者策略转变：威胁行为者越来越多地针对软件漏洞，而非传统的弱凭证或配置错误。2025年下半年，利用第三方软件漏洞（44.5%）首次超过弱凭证（27.2%）成为主要的初始访问向量。远程代码执行（RCE）漏洞的利用增加了近五倍。
身份和数据盗窃主导入侵趋势：83%的云和SaaS环境入侵事件涉及身份问题。威胁行为者利用被盗身份进行大规模、静默的数据窃取，其中17%涉及语音社交工程（vishing），21%涉及利用被盗凭证，21%涉及第三方和软件供应链攻击。
恶意内部人员利用云存储窃取数据：恶意内部人员越来越多地使用受控的云环境和个人云存储来窃取敏感数据。平台无关的云服务预计将很快超过电子邮件，成为主要的数据窃取途径。
北朝鲜行动者利用Kubernetes工作负载进行加密货币盗窃：北朝鲜行动者UNC4899利用“ living-off-the-cloud (LOTC)”技术，通过社交工程和合法二进制文件入侵个人设备，然后转移到云环境，最终盗窃了数百万美元的加密货币。
通过OpenID Connect滥用进行云环境完全入侵：Mandiant发现威胁行为者UNC6426利用被篡改的NPM包窃取GitHub令牌，并滥用GitHub到AWS的OpenID Connect（OIDC）信任关系，在72小时内完全入侵了客户的云环境。
威胁行为者破坏云取证时间线：国家支持的行动组和勒索软件即服务（RaaS）集团正在破坏日志和备份，以掩盖其活动并阻碍恢复工作。
加速云事件响应：随着云环境的日益复杂，有效的事件响应窗口正在缩小。建议采用基于自动化证据保留、预授权身份访问和人工智能增强型取证分析的响应管道。

研究结论

组织应转向安全默认配置，并关注身份访问控制和数据保护。
实施纵深防御策略，验证人类用户并严格监控受信任的集成。
加强Kubernetes环境，并采用强大的密钥管理。
采取多层防御方法，包括硬化开发者端点，以防止此类多阶段攻击。
考虑迁移到高保真日志记录和自动化的云原生响应框架。
实施基于自动化证据保留、预授权身份访问和人工智能增强型取证分析的响应管道，以应对云原生威胁的快速发展。

Cloud ThreatHorizons Report H1 2026 Contents Mission Statement3 Executive Summary4 Threat Actors Increasingly TargetingSoftware Vulnerabilities6 Compromised Identities and Data TheftDominate Industry Cloud Intrusion Trends9 Malicious Insiders Increasingly UsingPlatform Agnostic Environments to Exfiltrate Data14 North Korean Actors Weaponize Kubernetes Workloadsfor Multimillion-Dollar Cryptocurrency Theft20 From CI/CD to Cloud Compromise:Real-World Breach via OpenID Connect Abuse24 Protecting the Cloud Forensic Timelinefrom Sophisticated Threat Actors29 Accelerating Cloud Incident ResponseThrough Automated Pipeline Orchestration32 Contributors38 Executive Resource Addendum39 Mission Statement The Google Cloud Threat Horizons Report providesdecision-makers with strategic intelligence on threats tonot just Google Cloud, but all cloud service providers. Thereport focuses on recommendations for mitigating risksand improving cloud security for leaders and practitioners.The report is informed by Google Cloud’s Office of theCISO, Google Threat Intelligence Group (GTIG), MandiantConsulting, and various Google Cloud intelligence, security,and product teams. Executive Summary From Rapid Exploitationto Forensic Readiness The cloud threat landscape is rapidly shifting. Google Cloud Security observed the windowbetween vulnerability disclosure to active exploitation collapse from weeks to days in thesecond half of 2025. This activity, along with AI-assisted attempts to probe targets forinformation and continued threat actor emphasis on data-focused theft, indicates thatorganizations should be turning to more automatic defenses. Recognizing our commitment toshared fate in cloud security, this edition of our Cloud ThreatHorizons report highlights current threat trends and provides actionable recommendationsspecific to Google Cloud and for all platforms. A more concise companion report providingtailored recommendations for directors will be available on the Board of Directors Insights Hub. •Identity perimeters spanning multiple cloudenvironments and software-as-a-service (SaaS)platforms targeted with vishing and tokentheft:Identity compromise underpinned 83% ofcompromises. Threat actors continued to transitionfrom traditional phishing to voice-based socialengineering(vishing), and credential harvestingfrom third-party SaaS tokens to facilitate large-scale, silent data exfiltration. Key Findings for H2 2025 •Increasing exploitation of third-party, user-managed software as a primary initial accessvector:While Google Cloud’s underlyinginfrastructure remains secure, threat actors aresuccessfully targeting unpatched applicationsand permissive user-defined firewall rules. In theReact2Shell incident, for example, Google ThreatIntelligence Group (GTIG) saw threat actors exploitvulnerabilities in a popular third-party frameworkjustdays after disclosure. •Malicious insiders increasingly relying oncloud storage for data theft:Malicious insidersincreasingly used cloud environments controlledby their organizations and personally controlledcloud storage toexfiltrate sensitive data. Strategic Drivers Shaping the 2026Cloud Landscape Upcoming events in 2026, including increasinglyintensifying geopolitical conflicts, the FIFA WorldCup, and U.S. midterm elections, may provide abackdrop for high-volume social engineering anddistributed denial of service (DDoS) attacks targetingcloud-hosted media. Simultaneously, the EuropeanUnion’s Artificial Intelligence Actregulation andupdated U.S. Securities and Exchange Commissionreporting mandates may increase pressure onorganizations to ensure cloud-centered forensicreadiness. •Living-off-the-cloud (LOTC) techniques usedto compromise cloud infrastructure from acompromised endpoint:North Korean actorsbypassed traditional network perimeters usingsocial engineering to exploit a personal-to-corporate connection, allowing them to pivot to thecloud and compromise Kubernetes to steal millionsin cryptocurrency. •Supply chain attack combined with attempted AI-assisted living-off-the-land (LOTL) techniques:Threat actors used large language models (LLM)to automate credential harvesting and transitionfrom a developer’s local environment to full cloudadministration access. In less than 72 hours, theyabused OpenID Connect protocol trust between aCI/CD provider and cloud platform. More than just a snapshot of the cloud threatlandscape, this report equips decision-makersto move beyond reactive security by adoptingautomated identity-based controls and the forensicreadiness essential for maintaining operationalcontinuity and compliance in a rapidly collapsingthreat window. Threat Actors Increasingly TargetingSoftware Vulnerabilities As 2025 unfolded, our Google Cloud security expertsnoted an important pivot in threat-actor behavior.In the first half of 2025, threat actors continuedto rely heavily on weak or missing credentials andmisconfigurations to gain access to Google Cloudenvironments.

点击免费查看完整报告