Cloud Security, Cloud Security, Threat Management, Zero trust

Vast majority of compromised Google Cloud Platform instances executed by cryptominers

The Google Cloud logo is seen on a notebook at the Google Germany offices on Aug. 31, 2021, in Berlin, Germany. (Photo by Sean Gallup/Getty Images)

Google Cloud on Wednesday reported that malicious actors had recently compromised 50 Google Cloud Platform instances, some 86% of which were used for cryptocurrency mining.   

According to an analysis by Google, in 58% of the situations, the cryptocurrency mining software was downloaded to the system within 22 seconds of being compromised.

“This suggests that the initial attacks and subsequent downloads were scripted events not requiring human intervention,” said Google Cloud. “The ability to manually intervene in these situations to prevent exploitation is nearly impossible. The best defense would be to not deploy a vulnerable system or have automated response mechanisms.” 

The details released by Google Cloud are part of the first issue of its Threat Horizons report produced after collating intel from the Google Threat Analysis Group, Google Cloud Security and Trust Center, and other internal teams at Google.

Whether they specifically target cryptocurrency mining or not, automated attacks where the majority of compromises are executed within seconds really drive home the importance of getting ahead of attackers, said Yaniv Bar-Dayan, co-founder and CEO of Vulcan Cyber. Bar-Dayan said as Google Cloud points out, this is best accomplished either by making sure systems are either not vulnerable, or by deploying automated response mechanisms.

“Cyber risk management is a critical component of any effective security strategy and organizations need to find a way to extend their existing efforts to encompass all of their assets, including cloud infrastructure,” Bar-Dayan said. “Automation is a great tool for helping organizations identify and mitigate vulnerable systems before they can be compromised. Without it, knowing where to focus mitigation efforts is far too time-consuming, which is why so many vulnerable systems continue to be deployed. And until organizations start consistently deploying strategies for effectively prioritizing and mitigating risk before vulnerabilities can be exploited, these types of attacks will continue cause significant problems.”

Saryu Nayyar, CEO of Gurucul, said Google Cloud reports that the attacks on cloud instances are scripted, so the attackers are searching for specific security holes rather than targeting attacks, then using those holes to upload and execute cryptomining software.

“Cloud users in general should understand their security responsibilities and how to structure their software to meet those responsibilities,” Nayyar said. “And actively look for illicit activity; it should be easy enough to note that certain cloud instances are more active than they should be. Because attackers are using automated methods to find and exploit these instances, the users of those instances must also use automation to find them and remediate the attack. It cost the users to do someone else’s computing in the cloud, making this a potentially expensive hack.”

Garret Grajek, CEO of YouAttest, said the real key to securing our systems from any malicious or nefarious use — be it crypto-miners, ransomware or PII data exfiltration — is to ensure that our systems enforce both zero trust on the networks and identity governance on the users. 

“We have to keep a mindful eye on traffic and utilization of our resources,” Grajek said. “Communication to command and controls must be identified and stopped immediately — as must the changes threat actors make in our identities for privilege escalation.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.