News

Crypto Mining Hackers vs. Cloud Computing—Google States the Obvious

Google’s new Cybersecurity Action Team (CAT) would like you to know that insecure cloud instances can be hijacked by hackers. And the #1 workload they use to steal your CPU time is cryptocurrency mining.

Stop the press. Did we really need to be told that? Seems pretty obvious. It’s hardly the first time we’ve heard about thieves creating imaginary money with stolen IaaS compute resources.

But let’s look closer. In today’s SB Blogwatch, we see if there’s a “there” there.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Seltsame Fakten zu Deutschland.

GCP CAT Fluff

What’s the craic? Simon Sharwood says—“Google advises passwords are good, spear phishing is bad, and free clouds get attacked”:

Authentication and security are good ideas
The report advises that analysis of 50 recently hijacked Google Cloud instances revealed 86 percent were put to work mining cryptocurrency. Crims got in because, in 48 percent of cases, operators didn’t have a password, had a weak password, or didn’t bother authenticating APIs.

Thanks, Google! We’re not sure [we] could have figured out that authentication and security are good ideas. … Perhaps future reports, which are promised to offer “Early Warning announcements about emerging threats requiring immediate action” will prove a little more exciting.

Is that snark entirely fair? Scott Chipolina clears away the turkey—“Hackers Are Breaking into Cloud Accounts to Mine Crypto”:

Obtaining profit
A Google Threat Horizon Report … published by the Google Cybersecurity Action Team … has raised concerns over hacked cloud accounts being used to mine cryptocurrency. … According to the report, the two common goals behind this activity involve “obtaining profit” and “traffic pumping.”

O RLY? Dan Milmo adds leftover cranberries—“Cryptocurrency miners using hacked cloud accounts, Google warns”:

Poor customer security
“Mining” is the name for the process by which blockchains such as those that underpin cryptocurrencies are regulated and verified, and requires a significant amount of computing power. … In the majority of cases the cryptocurrency mining software was downloaded within 22 seconds of the account being compromised.

Google said that in three-quarters of the cloud hacks the attackers had taken advantage of poor customer security or vulnerable third-party software. Google’s recommendations to its cloud customers to improve their security include two-factor authentication – an extra layer of security on top of a generic user name and password – and signing up to the company’s work safer security programme.

What can be done? Google’s CAT suggests these “Countermeasures”:

    • Follow password best practices and best practices for configuring Cloud environments.
    • Update third-party software prior to a Cloud instance being exposed to the web.
    • Avoid publishing credentials in GitHub projects. …
    • Use service accounts … to authenticate apps instead of using user credentials. …
    • Use predefined configurations … to reduce misconfigurations.
    • Set up conditional alerts … to send alerts upon high resource consumption.
    • Enforce and monitor password requirements for users.

That second bullet reminds u/thecoller of some former cow-orkers:

Total idiots
Had a team in my previous job list a repo as public by mistake and leave some AWS credentials in a file. Not even an hour later massive EC2 instances had been launched triggering billing alarms. If the miners hadn’t been total idiots they would have gone with many smaller ones and not raised suspicion for weeks.

But it’s all a bit heavy on the victim blaming, don’cha’fink? Kevin McMurtrie does:

Google says everyone else needs to do better
Is this a joke? Does Google even have a working means of reporting Gmail phishing, GCP hosted hacking and fake stores, Trojan horse Play Store apps, Google Calendar hacks, Google Photos hacks, Google Groups scammers, [etc.]?

No. If it hurts competitors more than Google, Google says everyone else needs to do better.

Is this news? u/blooping_blooper thinks not:

This is hardly new – people have been hacking AWS and Azure accounts for years to run miners, usually through leaked credentials.

Going further, here’s bradley13:

The first measures
Not news. This has been going on for years. Have an AWS or Azure account with lousy security? It won’t be long before someone has hacked it, either to run mining or to add it to a botnet.

If you put up a cloud server on any of these services, and don’t restrict the IP ranges for things like SSH access, you will be absolutely bombarded with hacking attempts. One of the first measures you must take, preferably in advance of booting the server, is to restrict SSH and RDP to only the addresses that you actually use.

Wait. Pause. fredblogggs sees both sides:

The supply side of crime
Of course all this is dreadfully obvious. And equally obvious is that fact that despite having been able to read exactly the same advice from every imaginable source for the past decade or more, people still don’t bother to take even the simplest … precautions.

For the rest of us who might have welcomed a serious threat intelligence report, Google are more likely to be included in the threat model than the solution space. As the saying goes, they’re more on the supply side of crime.

Meanwhile, a slightly sarcastic u/panda4sleep has had enough of imaginary money:

bUt iT’s a LeGit CurRenCy.

And Finally:

Actually not clickbait

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Dominik Vanyi (via Unsplash)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

Recent Posts

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a...

3 hours ago

Tax scams: Scams to be aware of this tax season

The post Tax scams: Scams to be aware of this tax season appeared first on Click Armor.

3 hours ago

Apple OTP FAIL: ‘MFA Bomb’ Warning — Locks Accounts, Wipes iPhones

Rethink different: First, fatigue frightened users with multiple modal nighttime notifications. Next, call and pretend to be Apple support.

5 hours ago

AI Apps: A New Game of Cybersecurity Whac-a-Mole | Grip

AI Apps are launching faster than cybersecurity teams can review. How can you stay ahead of the AI explosion that…

5 hours ago

Over 100 Malicious Packages Target Popular ML PyPi Libraries

The Mend.io research team detected more than 100 malicious packages targeting the most popular machine learning (ML) libraries from the…

6 hours ago

Google: Zero-Day Attacks Rise, Spyware and China are Dangers

The number of zero-day vulnerabilities that are exploited jumped in 2023, with enterprises becoming a larger target and spyware vendors…

7 hours ago