Identity failings and legacy vulnerabilities are driving a surge in cloud attacks, a new report from ReliaQuest has warned.
The threat intelligence specialist claimed that 44% of true-positive alerts it recorded in the third quarter of 2025 were traced back to “identity-related weakness.” These included excessive permissions, misconfigured roles and credential abuse.
The reason threat actors are targeting the identity layer is simple: cloud keys and credentials often make their way onto cybercrime markets because they’re stored insecurely, putting them at risk of phishing or infostealer malware. Attackers can buy legitimate credentials on the dark web for as little as $2, according to the report.
Cloud credentials also usually have excessive permissions assigned to them, enabling attackers to escalate access. ReliaQuest claimed that 99% of cloud identities are over-privileged.
This means that threat actors can simply log in as legitimate users and achieve their goals, without setting off any internal alarms. Given that the average organization manages thousands of identities across AWS, Azure, Google Cloud and SaaS applications, the attack surface is potentially huge.
Read more on identity threats: New ‘LLMjacking’ Attack Exploits Stolen Cloud Credentials
ReliaQuest also highlighted the security risks created by poor DevOps practices, which in some cases can lead to the “systematic redeployment” of legacy vulnerabilities in new software.
“The cloud’s greatest strength – on-demand infrastructure deployments – is also a source of systemic risk. In the race for speed, along with unclear ownership of risk remediation, organizations often unknowingly perpetuate vulnerabilities,” the report explained.
“Every automated deployment of a new server, container, or serverless function can replicate a single flaw from an old template across the environment in minutes. As this cycle repeats daily, new assets are created faster than security teams can manually scan and address them.”
ReliaQuest claimed that 71% of critical vulnerability alerts it managed during the quarter stemmed from just four CVEs, dating back to 2021.
“The result is an ever-expanding attack surface and an unmanageable vulnerability backlog,” it warned.
What Must Happen Next
The report urged organizations to improve their posture in order to mitigate these risks, by:
- Eliminating static AWS keys for humans, and instead using short-term credentials generated via the AWS Security Token Service (STS)
- Enforcing least privilege policies to reduce the risk of privilege escalation. This can be done via cloud infrastructure entitlement management (CIEM) tools like AWS IAM Access Analyzer, GCP IAM Recommender and Microsoft Entra Permissions Management
- Automating security checks in CI/CD pipelines, such as via static analysis tools, to prevent vulnerabilities and misconfigurations reaching production
