Hackers Mine Cryptocurrencies Using Compromised Google Cloud Accounts- Report
Rising cryptocurrency prices have had a direct correlation with cyberattacks in multiple reports published in the last three years. This has been confirmed by the recent Google Threat Horizon report published earlier this week. According to the report , the demand for these valuable coins has led malicious actors to break into Google Cloud accounts to mine them.
The report revealed that around 86 percent of the 50 recent cases involved hackers mining cryptocurrencies with compromised accounts.
Malicious actors were observed mining cryptocurrencies within compromised Cloud instances.
According to Google’s Cybersecurity Action Team, two common goals behind these operations were found to be ‘traffic pumping’ and ‘profit making’.
The research was intended to “provide actionable intelligence that enables organizations to ensure that their cloud environments are better protected.”
The malicious actors were found to be Russian-speaking. In addition to secretly mining cryptocurrencies, they actively broadcast live videos promising people to contribute funds to be eligible for a giveaway.
The actors behind this campaign, which we attribute to a group of hackers recruited from a Russian-speaking forum, lure their target with false opportunities for collaboration.
The Google report also points out that hackers substitute the name of the account, the profile photo and the content for the brand of a cryptocurrency exchange or a reputable company to deceive users. Some of the other cyber threats discovered were malware, spam, launching DDoS, and hosting of unauthorized content.
How hackers access these Google Cloud accounts
The report found that hackers primarily took advantage of poor customer security practices to access cloud accounts.
Malicious actors gained access to Google Cloud instances by taking advantage of poor customer security practices or vulnerable third-party software in nearly 75% of cases.
Interestingly, 48 percent of the compromised instances were linked to hackers who gained control of the internet-facing cloud instance. Compromised user accounts or API connections are said to have no passwords or weaker passwords. This subjected Google Cloud accounts to brute force. The public IP address space was also found to be frequently scanned for vulnerable clouds. This was discovered after verifying that in 40% of cases, the time it took to compromise the system was less than eight hours.
Google Cloud customers launching non-secure cloud instances are likely to be detected and attacked in a relatively short period of time. Since most of the instances were used for cryptocurrency mining rather than data exfiltration, Google analysts concluded that the Google Cloud IP address range was scanned instead of targeting specific Google Cloud customers.
The report suggests that Google Cloud users should use container scanning for vulnerability scanning and metadata storage for containers. Users are also encouraged to make use of the web security scanner, in addition to using a stronger password and routinely updating third-party software.