Cryptocurrency miners are being deployed by online criminals within just 22 seconds of compromising misconfigured cloud instances running on the Google Cloud Platform (GCP).
Cryptocurrency mining is the main malicious activity that is conducted by attackers after taking advantage of misconfigured instances hosted on GCP.
In many cases, the attackers move really quickly after they compromise an instance and install crypto-mining malware to free-ride off others’ CPU and GPU resources to turn a profit for themselves. In its first Cloud Threat Intelligence report, Google commented:
“Analysis of the systems used to perform unauthorized cryptocurrency mining, where timeline information was available, revealed that in 58% of situations the cryptocurrency mining software was downloaded to the system within 22 seconds of being compromised.”
Another shocking trend was how quickly attackers can find and compromise unsecured, internet-facing instances. Palo Alto Networks, a security firm, found that 80% of 320 internet-facing ‘honeypot’ instances hosted in the cloud — and designed to attract attackers — were compromised within 24 hours.
Google’s report says that crypto-mining malware is a problem for users on GCP and they don’t take steps to protect their cloud instances. Google notes:
“While data theft did not appear to be the objective of these compromises, it remains a risk associated with the cloud asset compromises as bad actors start performing multiple forms of abuse. The public Internet-facing Cloud instances were open to scanning and brute force attacks.”
A significant target for attackers were Internet-facing GCP instances. Just under half of the compromised instances were carried by attackers who gain access to instances with either no password or a weak password for user accounts or API connections. Google also added:
“This suggests that the public IP address space is routinely scanned for vulnerable cloud instances. It will not be a matter of if a vulnerable Cloud instance is detected, but rather when.”
Furthermore, 26% of compromised instances were due to vulnerabilities in third-party software which are being used by the owner. Bob Mechlar, who is a director at Google Cloud’s Office of the CISO commented:
“Many successful attacks are due to poor hygiene and a lack of basic control implementation,”.
The report is a summary of observations over the last year by Google Threat Analysis Group (TAG), Google Cloud Security and Trust Center, and Google Cloud Threat Intelligence for Chronicle, Trust and Safety.