Hackers Using Compromised Google Cloud Accounts to Mine Cryptocurrency
Threat actors are exploiting improperly-secured Google Cloud Platform (GCP) instances to download cryptocurrency mining software to the compromised systems as well as abusing its infrastructure to install ransomware, stage phishing campaigns, and even generate traffic to YouTube videos for view count manipulation.
“While cloud customers continue to face a variety of threats across applications and infrastructure, many successful attacks are due to poor hygiene and a lack of basic control implementation,” Google’s Cybersecurity Action Team (CAT) outlined as part of its recent Threat Horizons report published last week.
Of the 50 recently compromised GCP instances, 86% of them were used to conduct cryptocurrency mining, in some cases within 22 seconds of a successful breach, while 10% of the instances were exploited to perform scans of other publicly accessible hosts on the Internet to identify vulnerable systems, and 8% of the instances were used to strike other entities. About 6% of the GCP instances were used to host malware.
In most cases, the unauthorized access was attributed to the use of weak or no passwords for user accounts or API connections (48%), vulnerabilities in third-party software installed on the cloud instances (26%), and leakage of credentials in GitHub projects (4%).