The surge of crypto prices has had a direct correlation with cyberattacks in multiple reports published over the last three years. This has been confirmed by the recent Google Threat Horizon Report released earlier this week. According to the report, the demand for these valuable coins has influenced malicious actors to break into Google Cloud accounts to mine them.
The report disclosed that about 86 percent of the 50 recent cases had to do with hackers mining crypto with compromised accounts.
Malicious actors were observed performing cryptocurrency mining within compromised Cloud instances.
According to the Google Cybersecurity Action Team, two common objectives behind these operations were found to be “traffic pumping” and “obtaining profit.”
The research was meant to “provide actionable intelligence that enables organizations to ensure their cloud environments are best protected.”
The malicious actors were found to be Russian speakers. In addition to secretly mining cryptos, they actively stream live videos promising people to contribute funds to qualify for a giveaway.
The actors behind this campaign, which we attribute to a group of hackers recruited in a Russian-speaking forum, lure their target with fake collaboration opportunities.
The Google report also noted that hackers replace the account name, profile picture, and content with the brand of a renowned crypto exchange or firm to deceive users. Some of the other cyber-threats discovered were malware, spam, launching DDoS, and hosting unauthorized content.
How hackers access these Google Cloud accounts
The report discovered that hackers primarily took advantage of poor customer security practices to get access to the cloud accounts.
Malicious actors gained access to the Google Cloud instances by taking advantage of poor customer security practices or vulnerable third-party software in nearly 75% of all cases.
Interestingly, 48 percent of compromised instances were linked to hackers gaining control over the Internet-facing Cloud instance. Compromised user accounts or API connections were said to either have no passwords or weaker passwords. This subjected the Google Cloud accounts to brute force. It was also realized that the public IP address space was frequently scanned for vulnerable clouds. This was discovered after realizing that in 40 percent of the instances, the time taken to compromise was under eight hours.
Google Cloud customers who stand up non-secure Cloud instances will likely be detected and attacked in a relatively period of time. Given that most instances were used for cryptocurrency mining rather than exfiltration of data, Google analysts concluded the Google Cloud IP address range was scanned rather than particular Google Cloud customers being targeted.
The report suggests that Google Cloud users must use Container Analysis for Vulnerability Scanning and metadata storage for containers. Users are also urged to make use of the Web Security Scanner in addition to using a stronger password and routinely updating third-party software.