Cyberattacks: AI Targets the Cloud Through Third-Party Software
Le brief IA que les pros lisent chaque soir
Les 7 actus IA du jour, décryptées en 5 min. Gratuit.
Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.
Choisis ton rythme
Gratuit · Pas de spam · Désabonnement en 1 clic
AI: An Asset for Cybercriminals in the Cloud
A recent report from Google highlights a concerning trend: cybercriminals are now leveraging artificial intelligence to accelerate their attacks on cloud infrastructures. Third-party tools, often less secure, are becoming prime targets. Companies are thus warned that they have very little time to react and secure their systems.
Key Takeaways According to ZDNET
Artificial intelligence enables attackers to identify vulnerabilities faster than ever. Cloud attacks primarily focus on vulnerable third-party software, and companies must adopt automated defenses, also powered by AI, to avoid falling behind.
The Fearsome Efficiency of AI for Cybercriminals
While the debate over the integration of AI in businesses continues, one sector is already benefiting significantly: cybercrime. Criminals have become more effective at exploiting vulnerabilities in cloud systems, which are often the most vulnerable points for companies.
Google's report, based on observations from the second half of 2025, reveals that the time between the discovery of a vulnerability and its widespread exploitation has drastically decreased, from several weeks to just a few days. To counter these attacks, Google recommends the use of AI-enhanced defenses, emphasizing the importance of increased automation in data protection.
Third-Party Software: A Preferred Gateway
According to the report, current threats do not target the core infrastructures of cloud giants like Google Cloud, Amazon Web Services, or Microsoft Azure, which are well protected. Cybercriminals, whether organized crime groups or state-sponsored agents like North Korea, prefer to exploit unpatched vulnerabilities in third-party software.
The report cites several examples of attacks without naming the victims. One of these exploited a critical remote code execution (RCE) vulnerability in React Server Components, a widely used JavaScript library. Attacks began just 48 hours after the public disclosure of the flaw. Another attack targeted XWiki Platform, allowing attackers to execute arbitrary code on remote servers. Although patched in June 2024, this vulnerability was heavily exploited in November 2025 by cryptocurrency mining groups.
Exploitation by State-Sponsored Groups
A notable case involves the group UNC4899, likely linked to North Korea, which took control of Kubernetes workloads to steal millions of dollars in cryptocurrencies. The group tricked a developer into downloading an archive file under the pretense of open-source collaboration. This file, transferred onto the company's network, contained malicious code that enabled the attackers to access the internal network.
Another incident involved a compromised Node Package Manager package that stole a GitHub token from a developer. This token was used to access Amazon Web Services, steal files from an S3 bucket, and then destroy the originals, all within 72 hours.
Identity Compromise: An Evolving Strategy
Google's report also highlights a shift in strategy among cybercriminals, moving from brute force attacks to exploiting identity vulnerabilities. The methods include:
- 17% of cases use voice social engineering (vishing).
- 12% rely on email phishing.
- 21% involve compromised trust relationships with third parties.
- 21% concern the exploitation of stolen identities, human or otherwise.
- 7% result from access obtained through improper methods.
These developments underscore the need for companies to strengthen their security systems, particularly those related to identity and access management.
Brief IA — L'actualité IA en français
L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.