Google warns that cybercriminals were compromising Google Cloud Platform (GCP) accounts to perform cryptocurrency mining.
The internet giant says that threat actors sometimes downloaded cryptocurrency mining software in just 22 seconds after compromising cloud accounts.
Cryptocurrency mining is a resource intensive activity, while mining rewards continue to decline amid rising computational costs. However, Google Cloud customers have access to upgradeable computing power at a cost, making their non-secure cloud resources a target for cybercriminals.
Google published the findings in its first Threat Horizons Report by the newly formed Cybersecurity Action Team attempting to pool the company's collective threat intelligence for more actionable insights.
Hackers exploit the most compromised Google Cloud accounts for cryptocurrency mining
Google found that of the 50 recently compromised Google Cloud instances, 86% were used for cryptocurrency mining purposes.
Hackers exploited another 10% of compromised Google Cloud instances to scan the internet for vulnerable systems and 8% to attack other targets. Attackers exploited 6% of accounts to host malware, 4% to host illegal content, 2% to launch DDoS bots, and 2% to send spam.
The attackers used CPU / GPU resources on compromised Google Cloud instances for cryptocurrency mining or storage space for Chia mining.
Google attributed the hacking of Google Cloud accounts to poor security hygiene, including weak or non-existent passwords and incorrect settings. According to the report, attackers exploited poor security practices or vulnerable third-party software in (75%) of the incidents. In almost half (48%) of the cases, the compromised Google Cloud instances did not have a password for the accounts or API connections. In more than a quarter (26%) of cases, attackers took advantage of vulnerable third-party software installed by the owner. Similarly, 12% of attacks exploited misconfigurations on cloud instances or third-party software, while 4% originated from leaked credentials.
The minimum time between deploying a vulnerable cloud instance and committing was less than 30 minutes. In 40% of cases, hackers compromised instances in less than 8 hours after deployment.
Google suggested that attackers routinely scan IP addresses for vulnerable cloud instances. According to the researchers, the attackers scanned the Google Cloud IP address range rather than specific user instances.
In 58% of the incidents, hackers downloaded cryptocurrency mining software to the compromised instances within 22 seconds. Google posited that the attackers automated the deployment of cryptocurrency mining software to continue without human interaction.
Google noted that human response in such incidents was impossible and recommended implementing an automated response mechanism. Similarly, cloud customers should avoid deploying vulnerable instances as the first line of defense.
Google's threat intelligence team also discovered that cybercriminals were using new tactics to abuse Google Cloud services for nefarious purposes. For example, they signed up for free trial projects by registering bogus companies for startup credits and accessing Google's cloud computing resources.
Meanwhile, Russian nation-state threat actors APT28 or Fancy Bear also took advantage of Google's Gmail accounts to run a large-scale phishing campaign of more than 12,000 phishing messages. Similarly, North Korean hackers posed as Samsung employees targeting South Korean tech workers with bogus job opportunities.
How to protect Google Cloud accounts
The researchers advised Google Cloud customers to enable various security mitigations to protect their instances from cryptocurrency mining and other cloud threats.
The team recommended that clients audit their published projects to make sure they don't expose security credentials. In addition, they must validate the downloaded code to avoid installing updates poisoned by man-in-the-middle (MITM) attacks.
Similarly, they must add a layer of security to render compromised credentials unusable by requiring multi-factor authentication.
