Google Warns of Compromise of Google Cloud Instances for Cryptocurrency Mining

December 1, 2021 - Following the trends of other cloud service providers, Google releases its first issue of the Threat Horizons Report. The report’s goal is to provide actionable intelligence that enables organizations to ensure their cloud environments are best protected against ever-evolving threats.

While the report discusses five major observations, only the observation specific to cryptocurrency mining is summarized below.

  1. 86% of the compromised Google Cloud instances were used to mine cryptocurrency consuming CPU/GPU and storage resources.

  2. The compromise of Google Cloud instances is due to poor cyber hygiene and a lack of basic control implementation.

  3. 10% of compromised Cloud instances were used to perform scans to identified additional vulnerable targets. Another 8% were utilized to launch attacks.

  4. Threat actors gain access in 46% of Cloud instances by brute force weak or no password for user accounts, or no authentication for APIs. Exploiting vulnerability in third-party software, installed by end-users, made up another 26%.

  5. Time to compromise a vulnerable instance can be as little as under 30 minutes with 40% of the instances made under eight hours. This observation seems consistent with an earlier post.

Google also outlines specific recommendation for Google Cloud instances to mitigate the threats:

Refer to the report for discussion on the remaining observations including a credential phishing attack by Russian government-supported APT28/Fancy Bear at the end of September; a North Korean government-backed threat group which posed as Samsung recruiters to send malicious attachments to employees at several South Korean anti-malware cybersecurity companies; and detected customer installations infected with Black Matter ransomware (the successor to the DarkSide ransomware family.)