Hackers Use Compromised Google Cloud Accounts for Cryptocurrency Mining

963

Google alerted its users that attackers were compromising Google Cloud Platform (GCP) accounts to perform cryptocurrency mining.

While cloud customers continue to face a variety of threats across applications and infrastructure, many successful attacks are due to poor hygiene and a lack of basic control implementation. Google’s Cybersecurity Action Team has publish ‘Threat Horizons’ report, based on threat intelligence observations.

The team observed recent attacks that targeted Gmail accounts and impersonated employment recruiters with the goal of stealing user credentials. Attackers also continue to exploit poorly configured Cloud instances with the goal of obtaining profit through cryptocurrency mining and traffic pumping.

Of 50 recently compromised GCP instances, 86% of the compromised Google Cloud
instances were used to perform cryptocurrency mining, a cloud resource-intensive for-profit activity, which typically consumed CPU/GPU resources, or in cases of Chia mining, storage space. Additionally, 10% of compromised Cloud instances were used to conduct scans of other publicly available resources on the Internet to identify vulnerable systems, and 8% of instances were used to attack other targets.

The shortest amount of time between deploying a vulnerable Cloud instance exposed to the Internet and its compromise was determined to be as little as 30 minutes. In 40% of instances the time to compromise was under eight hours.

Analysis of the systems used to perform unauthorised cryptocurrency mining, where timeline information was available, revealed that in 58% of situations the cryptocurrency mining software was downloaded to the system within 22 seconds of being compromised.

Google’s threat intelligence team also discovered cybercriminals using new approaches. For example, attackers have been using various approaches to gain
free Cloud credits, including using free trial projects, abusing start up credits with fake companies, and joining Google Developer Community for free projects.

Russian nation-state threat actors APT28 or Fancy Bear also leveraged Google’s Gmail accounts to perform phishing campaign of over 12,000 phishing messages.

The researchers recommended customers to enable various security mitigations for protection. The team advises to audit published projects to ensure that they do not expose security credentials. Additionally, the code dowloaded should undergo hashing authentication.