Graphics card for cryptocurrency mining showing compromised Google Cloud accounts

Hackers Use Compromised Google Cloud Accounts for Cryptocurrency Mining

Google warns that cybercriminals were compromising Google Cloud Platform (GCP) accounts to perform cryptocurrency mining.

The internet giant says threat actors sometimes downloaded cryptocurrency mining software within just 22 seconds after compromising the cloud accounts.

Cryptocurrency mining is a resource-intensive activity while mining rewards continue to decline amid rising computational costs. However, Google Cloud customers have access to upgradable computing power at a cost, making their unsecured cloud resources the target cybercriminals.

Google published the findings in its first Threat Horizons Report by the newly constituted Cybersecurity Action Team that attempts to bridge the company’s collective threat intelligence for more actionable insights.

Hackers exploit most compromised Google Cloud accounts for cryptocurrency mining

Google found that out of the 50 recently compromised Google Cloud instances, 86% were used for cryptocurrency mining purposes.

Hackers exploited another 10% of the compromised Google Cloud instances to scan the internet for vulnerable systems and 8% to attack other targets. The attackers exploited 6% of the accounts for hosting malware, 4% for hosting illegal content, 2% for launching DDoS bots, and 2% for sending spam.

The attackers utilized CPU/GPU resources on compromised Google Cloud instances for cryptocurrency mining or storage space for Chia mining.

Google attributed the hacking of Google Cloud accounts to poor security hygiene, including weak or no passwords and misconfigurations. According to the report, the attackers exploited poor security practices or vulnerable third-party software in (75%) of the incidents. In nearly half (48%) of the cases, the compromised Google Cloud instances had no password for the accounts or API connections. In more than a quarter (26%) of the instances, the attackers leveraged vulnerable third-party software installed by the owner. Similarly, 12% of the attacks exploited misconfigurations in cloud instances or third-party software, while 4% originated from leaked credentials.

The minimum time between deploying a vulnerable cloud instance and compromise was less than 30 minutes. In 40% of the cases, hackers compromised the instances in less than 8 hours after deployment.

Google suggested that the attackers routinely scanned IP addresses for vulnerable cloud instances. According to the researchers, the attackers scanned Google Cloud IP address range instead of specific user instances.

In 58% of the incidents, the hackers downloaded cryptocurrency mining software on the compromised instances within 22 seconds. Google posited that attackers automated the deployment of cryptocurrency mining software to proceed without human interaction.

Google noted that human response in such incidents was impossible and recommended implementing an automated response mechanism. Similarly, cloud customers should avoid deploying vulnerable instances as the first line of defense.

Google’s threat intelligence team also discovered cybercriminals using new tactics to abuse Google Cloud services for nefarious purposes. For example, they signed up for free trial projects by registering fake companies to gain startup credits and access Google’s Cloud computing resources.

Meanwhile, Russian nation-state threat actors APT28 or Fancy Bear also leveraged Google’s Gmail accounts to execute a large-scale phishing campaign of over 12,000 phishing messages. Similarly, North Korean hackers posed as Samsung employees targeting South Korean tech workers with fake job opportunities.

How to protect Google Cloud accounts

The researchers advised Google Cloud customers to enable various security mitigations to protect their instances from cryptocurrency mining and other cloud threat.

The team advised customers to audit their published projects to ensure that they do not expose security credentials. Additionally, they should validate downloaded code to avoid installing updates poisoned through man-in-the-middle (MITM) attacks.

Similarly, they should add a layer of security to make compromised credentials unusable by requiring multi-factor authentication.