According to a report released by Mountain View, hackers exploit badly configured profiles for the "production" of bitcoin: out of 50 incidents that compromised the protocol, 86% related to this activity. Underlying bad user security practices
29 Nov 2021
Out of 50 recently compromised Google Cloud accounts, 86% were used to mine cryptocurrency. It is one of the data released by the Mountain View giant through "Threat horizons", a report that aims to provide information to help organizations protect their cloud environments. According to Google, cryptocurrency miners use compromised Google Cloud accounts precisely for mining purposes, an activity that often requires large amounts of computing power, which Google Cloud customers can access for a certain cost. Bitcoin, the most popular cryptocurrency in the world, has not surprisingly been criticized for being too energy-intensive: bitcoin mining uses more energy than some entire countries.
In most cases, according to data released by Google, the cryptocurrency mining software was downloaded within 22 seconds of the account breach. About 10% of compromised accounts were also used to scan other publicly available resources on the Internet to identify vulnerable systems, while 8% of instances were used to attack other targets.
Access without password or with weak password
Google said the malicious actors were able to log into Google Cloud accounts by exploiting poor customer security practices. Almost half of the compromised accounts were attributed to actors who accessed a Cloud account with an Internet connection without a password or with a weak password. As a result, these Google Cloud accounts could be easily crawled and brutally cracked. About a quarter of the compromised accounts were due to vulnerabilities in owner-installed third-party software.
Threats of various kinds, from phishing to sending malicious attachments
But the "threats" to cloud accounts don't stop there: "The cloud threat landscape in 2021 extends far beyond mere cryptocurrency miners," wrote Bob Mechler, office director of the information security office at Google Cloud. and Seth Rosenblatt, Google Cloud Security Editor. Google also reportedly blocked a phishing attack by Russian group APT28 / Fancy Bear in late September. In addition, Google researchers identified a North Korean government-backed group posing as Samsung recruiters for the purpose of sending malicious attachments to employees of several South Korean anti-malware cybersecurity companies.