Bitcoin mining is the process of adding more bitcoins to the digital currency ecosystem. (Credit: REX)
Google published its first Threat Horizons report this month detailing hacking threats to its cloud service.
The Google cloud service is a collection of remote computing services which can include storage of customers’ data and files off-site.
The report from Google’s Cybersecurity Action Team found that hackers were performing cryptocurrency mining, a Cloud resource-intensive, for-profit activity, within hacked Google Cloud accounts.
Bitcoin mining is the process of adding more bitcoins to the digital currency ecosystem. Additional bitcoins are added through a computational process called mining. This is done by letting computer hardware calculate complex mathematical equations.
To ensure that no more coins are generated every day than originally intended, the mining process is linked to a difficulty rating which goes up and down depending on the number of miners competing for network blocks.
Out of 50 recently compromised Google Cloud Platform (GCP) instances, 86% were used to perform cryptocurrency mining, according to the report.
The hacked Google Cloud accounts were used for their computing power to mine crypto (Getty)
Additionally, 10% of compromised Cloud instances were used to conduct scans of other publicly available resources on the Internet to identify vulnerable systems, and 8% of instances were used to attack other targets.
Google recently launched its Cybersecurity Action Team, to use more of their security abilities and advisory services to increase customers’ defenses.
‘Malicious hackers exploit improperly-secured cloud instances to download cryptocurrency mining software to the system—sometimes within 22 seconds of being compromised,’ said the report.
In three-quarters of the cloud hacks, hackers had taken advantage of poor customer security or vulnerable third-party software according to Google.
Other threats identified by the team include Russian hackers attempting to gain users’ passwords using a Gmail phishing campaign, North Korean hackers posing as Samsung job recruiters and a new ransomeware called Black Matter used to extort money from victims.
In the majority of cases the cryptocurrency mining software was downloaded within 22 seconds of the account being compromised.
Citing these cyber threats, Google recommended its cloud customers to improve their security by including two-factor authentication — an extra layer of security on top of a generic user name and password — and signing up to the company’s work safer security programme.
The report detailed Russian government-backed hacking group APT28, also known as Fancy Bear, that targeted 12,000 Gmail accounts in a phishing attempt.
The attackers used patterns similar to government-backed attack alerts to lure users to change their credentials on the attacker’s phishing page. However, Google blocked these messages—primarily aimed at UK, the US and India—and no users’ details were compromised.
Google recommends adding two-factor authenticiation to accounts for an extra level of protection (Getty)
The report also highlighted a scam involving a North Korea-backed hacker group posing as recruiters at Samsung, sending fake job opportunities to employees at South Korean information security companies. Victims were directed towards a link to malware stored in a Google Drive, which has since been blocked.
Ransomware was also another significant threat detected by Google where the the attacker hold the victim’s files and data hostage using encryption until a payment is made.
Google warned users of a relatively new ransomware called Black Matter, which could be an immediate offspring of DarkSide, which has been used to target multiple large, high-revenue organizations by holding their sensitive data hostage.
Black Matter is capable of encrypting files on a victim’s hard drive and network in a short period and its victims include the Japanese technology group Olympus.
Google said dealing with ransomware attacks was difficult because the heavy encryption ‘makes recovery of files nearly impossible without paying for the decryption tool’.
Hackers would also use compromised accounts to spread ransomware (Getty Images)
The report said that it had received reports that the Black Matter ransomware group would be shutting down operations due to outside pressure but this is yet to be confirmed.
‘Given these specific observations and general threats, organizations that put emphasis on secure implementation, monitoring and ongoing assurance will be more successful in mitigating these threats or at the very least reduce their overall impact,’ said Google.
While data theft did not occur in these instances the tech giant still deemed it a risk for cloud hacking ‘as bad actors start performing multiple forms of abuse’.
Google aims to publish threat intelligence reports like this in the future that provides threat horizon scanning, trend tracking, and Early Warning announcements about emerging threats requiring immediate action.