In cybersecurity, threats are like mosquitoes on a humid August evening: as soon as you knock one out, another one is already biting at your neck.
For end-users, threat intelligence is key to improving the configuration of environments and defenses. Which is something Google is hoping to help make easier with its new Threat Horizons report.
The report was published by Google's Cybersecurity Action Team and is based on observations from its Threat Analysis Group (TAG) and other internal teams.
Google's stated goal is to provide "actionable intelligence that enables organizations to ensure their cloud environments are best protected against ever evolving threats."
This leads us to the first section of the report, which is dedicated to looking at how malicious actors use compromised Google Cloud instances for cryptocurrency mining.
Compromised Google Cloud used for cryptomining
Cryptocurrency mining has taken off in popularity in the last few years, for end-users and threat actors alike. And Google says you may be paying for cryptominers to use your cloud.
Of 50 recently compromised Google Cloud instances, 86% were used to perform cryptomining, according to the report. Additionally, 10% of the compromised instances were used to conduct scans of other publicly available resources to identify vulnerable systems, and 8% were used to attack other targets.
So how are malicious threat actors gaining access? Google provides the top five exploited vulnerabilities in cloud instances and how frequently they are exploited:
- Weak or no password for user account or no authentication for APIs; 48%
- Vulnerability in third-party software in the Cloud instance was exploited; 26%
- Other issues; 12%
- Misconfiguration of Cloud instance or in third-party software; 12%
- Leaked credentials, e.g., keys published in GitHub projects; 4%
Cryptominer timeline: compromise to exploitation
If attackers are attempting to use your compromised cloud instances for cryptomining, they can do so before you finish reading this story.
Researchers found that in 58% of these situations, the cryptomining software was downloaded within 22 seconds of being compromised. Google shares what this means:
"This suggests that the initial attacks and subsequent downloads were scripted events not requiring human intervention. The ability to manually intervene in these situations to prevent exploitation is nearly impossible. The best defense would be to not deploy a vulnerable system or have automated response mechanisms."
The report also says this:
"The shortest amount of time between deploying a vulnerable Cloud instance exposed to the Internet and its compromise was determined to be as little as 30 minutes. In 40% of instances the time to compromise was under eight hours. This suggests that the public IP address space is routinely scanned for vulnerable Cloud instances. It will not be a matter of if a vulnerable Cloud instance is detected, but rather when."
Mitigating cloud cryptomining risk
On top of reminding end-users to follow best practices with simple things like using strong passwords, Google provides a list of recommendations and resources for people to follow in order to avoid their cloud being used for cryptomining.
These resources are:
- "A variety of access control options within Compute Engine including using service accounts to authenticate apps instead of using user credentials."
- "Policy Intelligence tools to help understand and manage policies to proactively improve security configurations."
- "Pre-defined configurations through Assured Workloads to reduce the risk of accidental misconfigurations by choosing from available platform security configurations, controls can be put in place."
- "Conditional alerts in the Cloud Console to determine when resource consumption exceeds certain thresholds."
- "Enforcing and monitoring password requirements for their users through the Google Admin console."
- "Recommendations for designing online applications with a password-based authentication system."
- "Best practices for configuring Cloud environments."
Register for upcoming SecureWorld events and web conferences that will help meet your cybersecurity needs.