Hackers exploit poorly secured Google Cloud platform to mine crypto

Compromised Google Cloud accounts used to mine cryptocurrency and abuse the system

Google CAT found security issues via GCPCryptocurrency miners used hacked Google Cloud Platform accounts.

Ransomware can be installed and phishing campaigns launched on the compromised machine due to improperly-secured Google Cloud Platform. Google Cloud Threat Intelligence team reports that there are some security issues in the platform that led to miner drops and compromising customers' environments.[1] around 86% of hacked Google Cloud Platform cases in the past year ended with cryptocurrency miners running on the customer's device.[2] At least half of those encountered the malware install in the first 30 seconds after access to the machine is gained.

According to the Google Cybersecurity Action team report, these issues are related to security holes:

While cloud customers continue to face a variety of threats across applications and infrastructure, many successful attacks are due to poor hygiene and a lack of basic control implementation.

The process was believed to be only script-driven, so users' actions were not needed to implement the drop of malicious apps or the launch of other processes. These attacks were targeting GCP customers leveraging the number of assets without having to put much effort.[3] The compromise of the targeted machine could have been successful in a matter of hours, taking 8 hours at most.

Attackers looked for unsecured Google Cloud Platform instances

The analysis revealed that these cloud platforms cave been compromised pretty quickly, and the targets were found by looking for the unprotected devices. Attackers monitored public IP addresses for signs of such poorly protected instances. It was a quick scan through the spaces, not a targeted attack. It is confirmed by the research team when the detail about the quick compromise. Also, hackers were focused on cryptocurrency mining[4] not the exfiltration of data or a major malware deployment.

The amount of time from the launch of a vulnerable Google Cloud instance until compromise varied with the shortest amount of time being under 30 minutes.

Poor customer security practices also were a great advantage for hackers since in 75% of all cases those security holes got exploited. Weak passwords, no passwords, or API connection issues got used in these hacks. Hackers managed to brute-force with minimal effort.

Phishing campaigns and traffic pumping discovered

The report from Google noted particular malicious campaigns and issues with security. One of them was Gmail phishing email campaign launched back in September by APT28 hackers.[5] These hackers, also known as the Fancy Bear group, focused on sending emails to at least 12,000 accounts in the US, UK, India, Canada, Russia, EU countries.

The main goal was to steal credentials from the accounts, so further attacks could be launched. These attacks involved emails that stated about risk and security. Threat actors claimed that government-backed hackers are trying to get users' credentials. Then, the real attacker proceeds to trick people into revealing their real login credentials.

Also, the research team observed activities focused on abusing the free cloud credits. This campaign used the trial projects and hackers posed as fake startups to engage particular traffic on YouTube. Google said that ransomware attacks where files and data got encrypted took place too. The report states that this might be the Black Matter ransomware actors. However, the criminals behind particular malware stated their shutdown last month.

Google lists all the main tips for the customers and enterprises, including authentication, multiple defense layers. Strong passwords and security measures like this can help mitigate the accidental exposure of credentials and serious hacker attacks.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

Jake Doevan is one of News Editors for 2-spyware.com. He graduated from the Washington and Jefferson College , Communication and Journalism studies.

Contact Jake Doevan
About the company Esolutions