SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Cloud security multiple padlocks open broken people keys digital network
#
Malware
#
Cloud Security
#
Phishing

Cloud breaches driven by identity failures & process flaws

Thu, 6th Nov 2025
Author image
By Shannon Williams, Journalist

A new report from ReliaQuest has highlighted that the primary drivers of impactful cloud attacks are identity compromises and process breakdowns, rather than sophisticated zero-day exploits.

The company's analysis of customer data from the third quarter of 2025 shows a significant portion of cloud security incidents stem from attackers abusing valid credentials and from legacy vulnerabilities being redeployed at scale.

Over-privileged identities

ReliaQuest's findings reveal that 44% of true-positive alerts from cloud security tools during the period could be traced back to identity issues, with researchers noting that 99% of cloud identities remain over-privileged. This excessive availability of access privileges allows attackers to escalate their access following an initial compromise, turning a simple credential theft into a more serious breach.

"Our analysis of the Q3 2025 threat landscape suggests that the most impactful cloud attacks didn't come from sophisticated zero-day exploits. Instead, they stemmed from two foreseeable failures: identity compromises and process breakdowns."

According to the report, identity compromises occur when attackers obtain valid credentials-often through phishing, malware, or leaked data-and then exploit over-privileged identities to carry out their objectives within a cloud environment. These routes are often easier to exploit than technical vulnerabilities and are proving highly effective for threat actors.

The report notes, "Identity failure occurs when attackers simply log in with stolen credentials and exploit over-privileged roles to achieve their objectives. Meanwhile, process failure involves the systemic redeployment of legacy vulnerabilities at cloud scale, creating widespread and uniform weaknesses."

Alert fatigue for security teams

Another finding from the report is that identity-related incidents create substantial operational challenges for enterprise security teams. The data shows that 33% of raw alerts generated-those not yet confirmed as malicious-are identity related, adding to the burden on security professionals. This overlap, where identity is both the leading cause of confirmed breaches and the noisiest source of alerts, leads to increased operational costs and greater chances for alert fatigue among defenders.

The report describes the situation: "This dual burden-where identity is both the top cause of confirmed breaches and the noisiest source of alerts-overwhelms security teams and drives up operational costs. These alerts are particularly costly to triage because, while automated systems can message users for verification, security teams still need to manually assess whether the activity is benign or malicious, often relying on specific organizational risk policies."

Privilege escalation and excessive permissions

The ease with which attackers can escalate privileges is also a recurring theme. Among ReliaQuest's customers, identity-related privilege escalation accounted for 52% of all confirmed identity-based alerts in the studied period, with the principal enabler being over-privileged accounts.

The report finds, "Once inside your cloud environment, an attacker's primary objective is often to exploit a seemingly minor misconfiguration: an identity with excessive permissions. By doing so, they can escalate privileges and move laterally through your environment, turning a low-level user compromise into a significant breach."

The report highlights that platforms such as AWS, Azure, and Google Cloud often provide pre-packaged administrative roles with broad permissions. The convenience of these roles means many organisations bypass the recommended security practice of granting only the minimum necessary access, which increases the risk when credentials are leaked.

Legacy vulnerabilities at scale

Process breakdowns, particularly the propagation of legacy vulnerabilities via automated cloud deployments, pose another persistent challenge. ReliaQuest's analysis shows 71% of all critical vulnerability alerts resulted from just four well-known Common Vulnerabilities and Exposures (CVEs):

  • CVE-2021-44228 (Log4Shell)
  • CVE-2024-6387 (OpenSSH)
  • CVE-2023-36884 (Microsoft Windows)
  • CVE-2024-23897 (Jenkins)

These vulnerabilities, some persisting for years, continue to reappear as organisations quickly deploy new assets using automated tools without proper security validation in their DevOps pipelines. The report suggests this "creates an ever-expanding attack surface and an unmanageable vulnerability backlog."

"The cloud's greatest strength-on-demand infrastructure deployments-is also a source of systemic risk. In the race for speed, along with unclear ownership of risk remediation, organizations often unknowingly perpetuate vulnerabilities. This push for rapid deployment can lead to the systematic redeployment of years-old flaws."

Practical recommendations

To counter these identity and process risks, the report recommends a series of defensive actions, including eliminating static AWS access keys for human users, enforcing least-privilege access using cloud-native tools, and integrating automated security validation into development pipelines. By shifting more towards short-term credentials and regularly reviewing and adjusting access privileges, organisations can limit the potential impact of credential leaks and privilege misuse.

The analysis cautions that security teams should not consider security as a final checkpoint. Instead, practices such as continuous monitoring, real-time response playbooks, and embedding security scans early in the development cycle are needed to reduce both operational overhead and business risk.

Looking ahead

The report anticipates that attackers will continue to leverage automation, potentially compressing the time from credential leak to intrusion from days or hours down to minutes. ReliaQuest advises organisations to upgrade their security postures to include proactive threat detection and automated response as a baseline.

"The prediction of a fully automated credential-to-intrusion pipeline isn't just based on the trajectory of tools-it's driven by clear economic and operational incentives driving the cybercrime ecosystem. In 2025, attackers already manually chain steps together: purchasing access from initial access brokers (IABs), using infostealer logs to find valid credentials, and using the credentials to gain footholds. The next logical and imminent progression is connecting these proven steps into a single, automated service."

The company concludes that the fundamental issue remains preventable misconfigurations and over-privileged cloud identities, compounded by process inefficiencies that can be addressed by integrating security more tightly into both identity management and software development workflows.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
LevelBlue adds unlimited Tenable scans to USM platform
Fortinet moves AI data centre security onto NVIDIA DPUs
Veeam completes USD $1.725b AI security takeover
AI ‘agentic’ tools to drive surge in cyber fraud by 2026
Why agentic AI is the game-changer SOCs need

Top stories

Hexaware appoints Raghu Mocherla to lead cyber physical push
Tenable hires Microsoft veteran Vlad Korsunsky as CTO
Axis outlines five key security tech trends for 2026
Prompt injection & vibe coding to reshape mobile security
CISOs face rising scrutiny as AI escalates cyber risk