Hackers Are Using Google Cloud for Cryptocurrency Mining
By Nick Anderson 5 minutes
Cryptocurrency continues to soar in popularity and value, and it’s inviting malicious actors to steal valuable computing resources for mining. It’s exactly what Google has warned its customer about in a new report. The report Threat Horizons published by the Cybersecurity Action Team at Google has revealed several threats that its researchers have identified, including Hackers using Google Cloud for Crypto Mining.
Google has also outlined security measures to customers to prevent this from happening.
How Hackers Using Google Cloud for Crypto Mining
Google Cloud is a service that lets developers buy computing resources. Like web hosting, where customers buy a service of hosting websites on the internet, Google Cloud allows developers to buy computing resources in the cloud. It allows anyone, especially small businesses, to rent computing power without investing in building such resources themselves.
Each pool of computing resources available to a developer is called an instance. Developers connect to their instance to work on projects as per their needs.
Google has revealed that malicious actors gained access to 50 Google Cloud instances for malicious purposes, and 86% of them were used for cryptocurrency mining. The other 10% were used to identify other vulnerable systems connected to the internet, and 8% became vectors to attack other targets. It might sound like something out of a hacker movie, but it’s real.
Hackers gained access by exploiting poor security practices and vulnerabilities in third-party software in nearly 75% of the cases. The customers using those instances had either no password or a weak password as credentials that allowed hackers to scan or brute force the accounts easily. We have always stressed the importance of a strong password and how other security mechanisms like Two-Factor Authentication (2FA) can prevent unauthorized access.
Cryptomining is a Serious Threat
Cryptocurrencies are racing the interests of people. Bitcoin and Ehtereum have grown significantly in value over the past couple of years, and it has attracted malicious actors who want to exploit computing resources for cryptocurrency mining.
Mining refers to the process of acquiring new digital coins. Cryptocurrencies like Bitcoin and Ethereum can be bought or acquired through mining. Mining involves solving complex mathematical functions to contribute to the blockchain ledger. In return, the users involved in validating transactions on the blockchain are rewarded with coins. As coins are generated, the process of generating new coins increases.
It is a computationally intensive task that requires suitable hardware, like graphics cards and ASICs. Many people have invested in cryptocurrencies by buying expensive hardware that mines for digital coins 24/7. But malicious actors figured out a way around buying expensive equipment and electricity costs by hacking into computers worldwide to mine cryptocurrency silently.
Hackers typically install cryptomining software through malware, such as trojans. Users infected with a cryptominer will notice degraded performance. The device will feel sluggish even during small tasks like opening a web browser. Cryptojacking refers to the hijacking of a device’s resources for cryptocurrency mining. Cryptominers aim to create a botnet of infected computers for distributed attacks; it connects to a command and control center (C&C) to receive further instructions. All the resources are used to make the hacker rich in cryptocurrency.
Google Warns About Phishing and Ransomware Attacks
In addition to cryptojacking attempts, Google’s report also warns about state-sponsored phishing attempts. The hacker group known as Fancy Bear, which the Russian government backs, targeted more than 12 thousand Gmail users through a phishing campaign.
While the title of the email kept changing, the email’s body alerts users that government-backed attackers may be trying to steal your password by tricking you. The email urges users to change their passwords and takes them to a phishing page that looks like Google. The attackers obtain the password when the user enters it into the “current password” field.
Google’s Threat Analysis team discovered that hackers backed by the North Korean government were sending fake job emails by impersonating recruiters working at Samsung. The email contained a PDF file containing the job description, but the file was purposely malformed. And when the target replies that they cannot open the file, the attackers send a Google Drive link to a “Secure PDF Reader” which was a Trojan. Google has since removed the malware.
Google’s research team has identified new ransomware called Black Matter that is now in the wild. Ransomware is a type of malware that encrypts data on the user’s device then demands a ransom to unlock the data. It is highly effective because the encryption makes it impossible to recover the data without submitting to the demands. This ransomware is more effective because it utilizes available CPU threads on the victim’s computer to speed up the encryption process. The report notes that Black Matter is highly configurable ransomware. Attackers can upload stolen credentials onto the malware to allow it higher privileges on the device.
Ransomware is one of the most destructive malware on the planet. It crippled the U.S fuel supply this year by attacking the companies responsible for delivering them. Malware is often delivered through Phishing. Identifying Phishing attempts is very important to prevent malicious attacks. One of the best security practices is to use a strong password and two-factor authentication on every account.