Google Warns of Compromise of Google Cloud Instances for Cryptocurrency Mining
December 1, 2021 - Following the trends of other cloud service providers, Google releases its first issue of the Threat Horizons Report. The report’s goal is to provide actionable intelligence that enables organizations to ensure their cloud environments are best protected against ever-evolving threats.
While the report discusses five major observations, only the observation specific to cryptocurrency mining is summarized below.
86% of the compromised Google Cloud instances were used to mine cryptocurrency consuming CPU/GPU and storage resources.
The compromise of Google Cloud instances is due to poor cyber hygiene and a lack of basic control implementation.
10% of compromised Cloud instances were used to perform scans to identified additional vulnerable targets. Another 8% were utilized to launch attacks.
Threat actors gain access in 46% of Cloud instances by brute force weak or no password for user accounts, or no authentication for APIs. Exploiting vulnerability in third-party software, installed by end-users, made up another 26%.
Time to compromise a vulnerable instance can be as little as under 30 minutes with 40% of the instances made under eight hours. This observation seems consistent with an earlier post.
Google also outlines specific recommendation for Google Cloud instances to mitigate the threats:
Use best practices of ensuring strong passwords.
Protect administrator and github credentials.
Enforce and monitor password requirements for the users.
Use access control options using service accounts to authenticate apps vs. user credentials.
Use predefined configurations through Assured Workloads to reduce misconfigurations.
Patch third-party software prior to a cloud instance being exposed to the Internet.
Scan and patch instances for known vulnerabilities.
Monitor resource consumption of the instances upon high or unusual thresholds.
Other best practices for configuring Cloud environments.
Refer to the report for discussion on the remaining observations including a credential phishing attack by Russian government-supported APT28/Fancy Bear at the end of September; a North Korean government-backed threat group which posed as Samsung recruiters to send malicious attachments to employees at several South Korean anti-malware cybersecurity companies; and detected customer installations infected with Black Matter ransomware (the successor to the DarkSide ransomware family.)