Google has warned users about the use of its Google Cloud platform by malicious actors to mine cryptocurrencies. In its latest Cloud Threat Intelligence report titled “Threat Horizons,” which provides users with security insights, the company informed that 86% of the compromised instances on Google Cloud platforms were being used to mine cryptocurrencies. Most of the accounts compromised were secured with weak passwords or with no password at all.
Google Cloud used to mine cryptocurrencies
Software giant Google is alerting users to malicious actors using compromised Google Cloud accounts to mine cryptocurrency. Google Cloud accounts have access to processing power that can be easily redirected to perform malicious tasks. According to the first “Threat Horizons” report, published by Google to raise awareness of security vulnerabilities in its platform, 86% of compromised accounts are used for this purpose.
The report states that cryptocurrency mining in the cloud causes high usage of CPU and/or GPU power. It also makes reference to the mining of alternative cryptocurrencies like Chia, which use storage space as a mining resource.
Causes and mitigation
The number one cause of the compromised Google Cloud instances we examined was poor security due to various issues. One of these issues was a weak or no password to access the platform, or a lack of API validation in the instance. Without basic security measures in place, a malicious actor can easily take hold of these platforms. Other cloud platforms are also facing similar issues.
Most of the studied instances downloaded the cryptocurrency mining software in less than 22 seconds after being compromised. This shows that there are systematic attacks of these unsecured instances, with the sole intention being to use them for this purpose. Also, the malicious actors seem to be tracking these unsecured Google Instances actively, given that 40% of the unsecured instances were compromised within eight hours of being deployed. Google stated:
This suggests that the public IP address space is systematically scanned for vulnerable cloud instances. It won’t be a question of whether a vulnerable cloud instance is detected, but rather when.
To mitigate these risks, the report recommends users follow basic best security practices and implement container analysis and web scanning, tools that will probe the system for security weaknesses using different techniques like crawling.
