The first edition of a bulletin called Cloud Threat Intelligence was just released by Google Cybersecurity Action Team.
The main warnings aren’t surprising (regular Naked Security visitors have read about them for years), and they boil down to two main facts.
To begin with, crooks are quick: it can take days for them to find newly launched, insecure cloud instances and break in, but Google claims that discovery-break-and-enter times are “as little as 30 minutes.”
Imagine if the first crooks came sneaking up your driveway one minute after you signed the contract on your new home to test all of your doors and windows!
The mining hack is detailed in a report by Google’s cybersecurity action team, which identifies hacking threats to its cloud service – a collection of remote computing services that can include off-site storage of customers’ data and files – and offers guidance on how to deal with them.
Other threats identified by the team in its first “threat horizon” report include Russian state hackers attempting to steal users’ passwords by warning them that they have been targeted by government-backed attackers; North Korean hackers posing as Samsung job recruiters; and ransomware attacks using heavy encryption.
The process of regulating and verifying blockchains, such as those that underpin cryptocurrencies, is known as “mining,” and it necessitates a significant amount of computing power. More than 80% of 50 recent hacks of Google’s cloud computing service were used to mine cryptocurrency, according to the company.
According to the report, “86 percent of the compromised Google Cloud instances were used to perform cryptocurrency mining, a cloud resource-intensive for-profit activity,” with the cryptocurrency mining software being downloaded in the majority of cases within 22 seconds of the account being compromised.
Per Google, attackers took advantage of weak customer security or vulnerable third-party software in three-quarters of cloud hacks.
Two-factor authentication – an extra layer of security on top of a generic user name and password – and signing up for Google’s work safer security program are two of Google’s recommendations to its cloud customers to improve their security.
In another section of the report, Google claims that the Russian government-backed hacking group APT28, also known as Fancy Bear, targeted 12,000 Gmail accounts in a mass phishing attempt, in which users are duped into handing over their login credentials.
“We believe that government-backed attackers may be trying to trick you to get your account password,” the attackers said in an email. Google said it had blocked all phishing emails in the attack, which targeted the UK, the US, and India, and that no users’ information had been compromised.
Another hacking ruse mentioned by Google in the report involved a North Korean-backed hacker group posing as Samsung recruiters and sending fake job offers to employees of South Korean information security firms.
After that, victims were directed to a malicious link to malware stored in Google Drive, which has since been blocked.
Dealing with ransomware attacks, in which an attacker encrypts files and data on a user’s computer until a payment is made for their release, is difficult, according to Google, because heavy encryption “makes file recovery nearly impossible without paying for the decryption tool.” Black Matter, which the report describes as a “formidable ransomware family,” has emerged, says the report.
The Google report noted: “Google has received reports that the Black Matter ransomware group has announced it will shut down operations given outside pressure. Until this is confirmed, Black Matter still poses a risk.”