Compromised Google Cloud Platform instances are riddled with cryptominers
Google Cloud's Threat Intelligence report revealed some alarming findings about the security of business' cloud environments
Google Cloud has revealed that 86% of compromised Google Cloud Platform (GCP) instances in 2021 led to cryptocurrency miners being dropped into customers' environments.
Cryptocurrency miners being installed in cloud instances was the leading issue facing GCP customers this year with 58% of compromised instances having cryptominers installed within just 22 seconds of attackers gaining access.
Google Cloud's Cybersecurity Action Team (CAT) said this led it to believe the process was script-driven without requiring human intervention.
GCP customers were targeted heavily with attackers attempting to leverage the high levels of compute available to them, without having to foot the bill.
Google Cloud also revealed cloud instances have been compromised in as little as 30 minutes, with the majority taking just eight hours.
The CAT at Google's cloud arm noticed attackers are monitoring the public IP address space for signs of unsecured GCP instances, knowing how quickly they can compromise each one.
"Given that most instances were used for cryptocurrency mining rather than exfiltration of data, Google analysts concluded the Google Cloud IP address range was scanned rather than particular Google Cloud customers being targeted," the report read.
"The amount of time from the launch of a vulnerable Google Cloud instance until compromise varied with the shortest amount of time being under 30 minutes."
2021 Thales cloud security study
The challenges of cloud data protection and access management in a hybrid and multi cloud worldFree download
CAT researchers also noted that threat actors gained access to GCP instances through exploiting poor customer security practices or vulnerable third-party software in almost 75% of all cases.
This meant unsecured GCP instances could quite easily be scanned by attackers and brute-forced with minimal difficulty.
Google Cloud customers were also at fault in 26% of cases for installing third-party software in their instance which was then exploited to gain access.
Google Cloud's basic recommended mitigations to the flaws allowing attackers into GCP instances include ensuring accounts always have strong passwords, updating third-party software before a cloud instance being exposed to the web, and not publishing credentials in GitHub projects.
Container Analysis is also available to GCP customers to perform vulnerability scanning and metadata storage for containers, while the Web Security Scanner in the Security Command Center can identify security vulnerabilities in their App Engine, Google Kubernetes Engine, and Compute Engine web applications.
Accelerating AI modernisation with data infrastructure
Generate business value from your AI initiativesFree Download
Recommendations for managing AI risks
Integrate your external AI tool findings into your broader security programsFree Download
Modernise your legacy databases in the cloud
An introduction to cloud databasesFree Download
Powering through to innovation
IT agility drive digital transformationFree Download