Tech giant Google has published a new report on cybersecurity warning how compromised Google Cloud instances are being used by cryptocurrency miners for cryptocurrency mining.
The report titled “Threat Horizons” is based on threat intelligence observations from the Threat Analysis Group (TAG), Google Cloud Threat Intelligence for Chronicle, Trust and Safety, and other internal teams.
According to the report, of the 50 hacked Google Cloud Platforms or GCPs, 86% of the compromised Google Cloud instances were used to perform cryptocurrency mining, a cloud resource-intensive for-profit activity, while the remainder of the hacking activities included phishing scams and ransomware.
Many successful attacks of the GCPs are due to poor hygiene and a lack of basic control implementation. Google added that nearly 10% of compromised Cloud instances were used to conduct scans of other publicly available resources on the Internet to identify vulnerable systems, while 8% of instances were used to attack other targets.
“While data theft did not appear to be the objective of these compromises, it remains a risk associated with the cloud asset compromises as bad actors start performing multiple forms of abuse,” the report said.
“Malicious actors gained access to the Google Cloud instances by taking advantage of poor customer security practices or vulnerable third-party software in nearly 75% of all cases.”
The search giant said 48% of instances had weak or no password for user account or no authentication for APIs, while in 26% of instances vulnerability was exploited in third-party software in the Cloud instance.
Further, 12% was attributed to ‘other issues’, another 12% of instances was due to the misconfiguration of Cloud instances or in third-party software, while just 4% of hacks were due to leaked credentials, such as keys published in GitHub projects.
Time was of the essence in the compromise of the Google Cloud instances. The shortest amount of time between deploying a vulnerable Cloud instance exposed to the Internet and its compromise was determined to be as little as 30 minutes.
In 40% of instances, the time to compromise was under eight hours. In 58% of situations, the cryptocurrency mining software was downloaded to the system within 22 seconds of the account being compromised.
“The best defense would be to not deploy a vulnerable system or have automated response mechanisms,” the report recommended.
The tech giant has suggested its cloud customers to improve their security by adopting different security approaches such as enabling two-factor authentication, scanning for vulnerabilities, updating third-party software prior to a Cloud instance being exposed to the web, avoid publishing credentials in GitHub projects, implementing Google’s “Work Safer” product for security and much more.
“Given these specific observations and general threats, organizations that put emphasis on secure implementation, monitoring and ongoing assurance will be more successful in mitigating these threats or at the very least reduce their overall impact,” the report concluded.