Cloud supply‑chain risk rising

A cloud attack used to mean someone breaking into your servers. In 2026, it often means someone riding in through a company you already trust, a storage link you already allow, or a help desk you already answer. (wiz.io) That shift showed up in Wiz’s new retrospective on 2025 cloud incidents. Wiz says the biggest cloud attacks still started with old problems like exposed secrets, misconfigurations, and unpatched flaws, but the blast radius grew when those weaknesses sat inside shared infrastructure and trusted integrations. (wiz.io) Wiz points to “systemic dependencies,” which is the security version of one bad part shutting down an entire assembly line. In cloud systems, one vulnerable package, identity connection, or service dependency can spread risk across many customers at once. (wiz.io, wiz.io) Google’s threat intelligence team put a very current example on that map on April 9, 2026. It warned that a financially motivated group called UNC6783 has targeted several dozen high-value companies across multiple sectors by going after business process outsourcers and help desks instead of attacking the final victim head-on. (infosecurity-magazine.com) A business process outsourcer is the outside firm that runs payroll, customer service, claims handling, or support for another company. If attackers can trick or pressure that vendor’s staff, they can reach the bigger company through a support channel that already has permission to touch sensitive systems. (infosecurity-magazine.com) Google says UNC6783’s goal is data theft for extortion, and the group has sometimes targeted in-house support teams directly when a vendor was not the easiest route. That makes the help desk itself part of the attack surface, because password resets and account recovery are effectively master keys when handled without strong checks. (infosecurity-magazine.com) The same pattern is showing up in phishing. Cyber Security News reported on April 9, 2026 that attackers are abusing Google Cloud Storage, which is Google’s file-hosting service, to place malicious redirects on a Google-owned domain that email filters and users are more likely to trust. (cybersecuritynews.com) That campaign ends with Remcos, short for Remote Control and Surveillance, a remote access trojan that gives criminals hands-on control of an infected computer. The trick is not a brand-new virus but the use of a familiar delivery truck: a legitimate cloud domain that looks normal in an inbox. (cybersecuritynews.com) The vendor problem is bigger than a few headline incidents. A Cerby and Ponemon Institute study released on April 8, 2026 said 77% of enterprises reported cyberattacks linked to disconnected apps, which are tools that sit outside central identity and security controls even though employees still use them for work. (globenewswire.com) Put those pieces together and the weak point is no longer just the company’s own network. It is the web of storage buckets, support vendors, outsourced operators, identity links, and side-door apps that all carry some level of inherited trust. (wiz.io, infosecurity-magazine.com, cybersecuritynews.com, globenewswire.com) That is why cloud security teams are spending less time asking only “Is this server patched?” and more time asking “Who can reset accounts, who can upload files, and which outside service can act in our name?” The attackers in these April 2026 reports are not breaking trust from the outside; they are borrowing it from the inside. (wiz.io, infosecurity-magazine.com)