Google warns hackers using Cloud platform for crypto mining
Malicious actors are taking advantage of poor customer security to hack Cloud accounts
More than three quarters (86%) of 50 recently compromised Google Cloud Platform instances were used by cyberhackers to perform cryptocurrency mining, a cloud resource-intensive for-profit activity, Google has warned. The cyberhacks typically consumed CPU/GPU resources or in the cases of Chia mining, storage space.
According to Google, malicious actors gained access to the Google Cloud instances by taking advantage of poor customer security practices or vulnerable third-party software in nearly 75% of all cases.
According to the Google team, the attacks were mostly not personal or directed at specific users. Instead, cyberhackers targeted any vulnerable user to satisfy their need for memory and cyberspace to mint cryptos.
“Given that most instances were used for cryptocurrency mining rather than exfiltration of data, Google analysts concluded that the Google Cloud IP address range was scanned rather than particular Google Cloud customers being targeted,” said Google in the report.
According to the Google team, time was of the essence in the compromise of the Google Cloud instances. The shortest amount of time between deploying a vulnerable Cloud instance, which had been exposed to the internet, and its compromise was found to be as little as 30 minutes.
“In 40% of instances, the time to compromise was under eight hours. This suggests that the public IP address space is routinely scanned for vulnerable Cloud instances. It will not be a matter of if a vulnerable Cloud instance is detected, but rather when,” said Google.
According to the tech company, analysis of the systems used to perform unauthorised cryptocurrency mining, where timeline information was available, revealed that in 58% of situations the cryptocurrency mining software was downloaded to the system within 22 seconds of being compromised.
“This suggests that the initial attacks and subsequent downloads were scripted events not requiring human intervention. The ability to manually intervene in these situations to prevent exploitation is nearly impossible. The best defence would be to not deploy a vulnerable system or have automated response mechanisms,” the Google team explained.
Google’s advice to its cloud customers is to improve their security cover by using two-factor authentication and sign up for its advanced security programme.
Elsewhere in the report, the Google team underlined that 10% of compromised Cloud instances were used to conduct scans of other publicly available resources on the internet to identify vulnerable systems, and 8% of instances were used to attack other targets.
“Based on research from the Threat Analysis Group (TAG), the Russian government-backed attackers APT28 (also known as Fancy Bear), which more recently has typically targeted Yahoo! and Microsoft users, was observed at the end of September sending a large-scale attack to approximately over 12,000 Gmail accounts in a credential phishing campaign,” said the team.
“Google blocked these messages and no users were compromised. The attackers were using patterns similar to TAG’s government-backed attack alerts to lure users to change their credentials on the attacker’s controlled phishing page. The attackers kept changing the emails’ subject line but attackers used a variation of Critical Security Alert,” said Google.