Hackers Are Now Using Compromised Cloud Accounts To Mine Crypto

Attackers are exploiting poorly configured cloud accounts to mine crypto, Google warned users in a recent report.

Cryptocurrency mining is a computationally intensive activity. And Google Cloud customers can access it at a cost. However, miners are now hacking Google Cloud accounts for mining purposes. In the report titled “Threat Horizons,” Google’s cybersecurity team assessed various threats to Cloud users, providing details of the breaches.

Related Reading | Data Shows Crypto Hacks And Fraud In 2021 Are On Track For A New Record

The report also provided cybersecurity threat intelligence to cloud users. The aim is to enable them “better configure their environments and defenses in manners most specific to their needs.”

In the report, the cybersecurity team analyzed 50 recently compromised Google Cloud accounts. And out of those, 86% were related to crypto mining. “Malicious actors were observed performing cryptocurrency mining within compromised Cloud instances,” Google wrote.

Related Reading | Ethereum Miner Revenue Outpaces Bitcoin In 2021

The report also stated that in the majority of these incidents, the hackers downloaded crypto mining software to the compromised accounts within 22 seconds. The attacks were scripted, and it would have been impossible to manually stop them. Additionally, in 10% of these incidents, the hackers scanned other publicly available resources on the Internet to identify vulnerable systems. While in 8% of the instances, they attacked other targets.

However, as reported by the cybersecurity team, the crypto mining hacks were not the only attacks.

“The cloud threat landscape in 2021 was more complex than just rogue cryptocurrency miners, of course,” wrote Bob Mechler, Google Cloud Director of the office of the Chief Information Security Officer, and Seth Rosenblatt, Google Cloud Security Editor, in a blog post.

Another threat the team identified was a phishing attack by the Russian group called APT28, or Fancy Bear. The attackers targeted 12,000 Gmail accounts in a mass phishing attempt. They attempted to trick users into handing over their login details. Google, however, said it had blocked all the phishing emails, and no user was compromised.

The report also pointed out an attack by a North Korean government-backed group. This hacker group posed as Samsung recruiters, sending fake job opportunities to employees at South Korean information security companies. They attached a malicious link to malware stored in Google Drive. Google said it also blocked it.

Another threat to cloud users is ransomware attacks, whereby hackers encrypt users’ data until they pay. In the report, Google mentions the formidable Black Matter ransomware group. And although the group announced that it was shutting down earlier this month, Google is still cautious. “Google has received reports that the Black Matter ransomware group has announced it will shut down operations given outside pressure. Until this is confirmed, Black Matter still poses a risk.”

Google attributes some of these attacks to users’ poor security practices. And also vulnerabilities in third-party software that the users install.

The report also recommends a few ways to prevent these attacks. One of which is enabling two-factor authentication.