The cybersecurity team of Google has released a report claiming that cryptocurrency mining abuse is making Google Cloud accounts vulnerable to hacking.
The report has made startling observations. It alleges that a Russia-based group — APT28/Fancy Bear — launched a Gmail phishing campaign. Google was able to block the attack, said the company.
“Malicious actors were observed performing cryptocurrency mining within compromised Cloud instances,” said the Google report “Threat Horizons”.
Threat Horizons also said North Korean actors impersonated employment recruiters from Samsung to steal credentials. As part of the breach, malicious attachments were sent to employees at several South Korean anti-malware cybersecurity companies.
The cybersecurity team of Google found that 86 percent of the 50 compromised Google Cloud accounts were used for cryptocurrency mining. The cyber researchers also revealed that the cryptocurrency mining software was downloaded within 22 seconds of the account being compromised in a majority of these breaches. This suggests that the initial attacks and subsequent downloads were “scripted events” not requiring human intervention.
An analysis of the breach attempts revealed that about 10 percent of the compromised Google Cloud accounts were used to conduct scans of other publicly available resources on the internet. The Google team also tracked some fraudsters seeking to abuse Cloud resources to generate traffic to YouTube.
“While cloud customers continue to face a variety of threats across applications and infrastructure, many successful attacks are due to poor hygiene and a lack of basic control implementation,” said the report.
The Google team also listed security measures to avoid such breaches. These include using multiple layers of defense to combat theft of credentials and authentication cookies and “hashing authentication” of the code downloaded by clients.