Compromised Cloud Accounts Lead to Cryptomining

You are currently viewing Compromised Cloud Accounts Lead to Cryptomining

 

Cloud computing is causing the world to shift to cloud environments, which means there is a threat of increasing cyber-attacks. Google has found recent incidents of cryptocurrency mining, ransomware, and phishing campaigns while cloud customers continue to deal with various threats.

Malicious actors exploit poorly-secured instances of Google Cloud Platform (GCP) to download cryptocurrency mining software to compromised systems, stage phishing campaigns, or even manipulate the views of YouTube videos.

In its recent Threat Horizons report, Google’s Cybersecurity Action Team (CAT) noted that even though cloud customers have been exposed to a variety of threats, many of the successful attacks have been due to poor hygiene and insufficient basic security controls.

What’s up with this?

According to Google’s Threat Horizons report, hackers were taking advantage of cloud storage accounts to compromise files and data. The hacker takes advantage of the storage space as well as mining resources to conduct malicious activities.

  • A recent Google Cloud Platform (GCP) compromise resulted in 86% of compromised instances being used to conduct cryptomining.
  • In 10% of the instances, other publicly available resources were scanned for vulnerabilities.
  • Approximately eight percent of the compromised instances were able to attack additional targets.
  • It is clear that the attackers’ aim was not data theft, but cloud asset compromises still pose many risks.

Unauthorized access was typically caused by weak or no passwords for user accounts or API connections (48%), vulnerabilities in third-party software installed on cloud instances (26%), and credentials being compromised in GitHub projects (4%).

At the end of September 2021, there was a phishing campaign launched by APT28 (aka Fancy Bear) that sent email blasts to over 12,000 accounts primarily in the U.S., U.K., India, Canada, Russia, Brazil, and Europe. These are the Nations to steal their credentials.

Furthermore, Google CAT stated that it has detected opponents exploiting free Cloud credits by acting as bogus firms and employing trial projects to pump traffic to YouTube. In a separate incident, a North Korean government-backed attacker group pretended to be Samsung recruiters and sent fraudulent job offers to employees of many South Korean information security firms that market anti-malware software.

The emails contained a PDF that purported to be a job description for a position at Samsung, but the PDFs were “malformed and did not open in a typical PDF reader,” according to the researchers. “When targets said they couldn’t open the job description, attackers sent them a malicious link to malware posing as a ‘Secure PDF Reader’ in Google Drive, which has now been disabled.”

The assaults were linked to the same threat actor who targeted security researchers and developers earlier this year to gain exploits and stage attacks on weak targets of their choosing.” High availability and ‘anywhere, anytime access are advantages of cloud-hosted resources,” according to Google CAT. “While cloud-hosted resources simplify workforce operations, malicious actors can attempt to attack cloud resources by exploiting the cloud’s pervasive nature. Despite the public’s increased interest in cybersecurity, spear-phishing and social engineering approaches are still very effective.”

What about cloud computing?

Researchers from TAG discovered a group of attackers who used cloud resources to increase traffic to YouTube to manipulate views. They embraced new TTP such as utilizing free trial projects, joining the Google Developer Community for free projects, and taking advantage of starting credits with fictitious businesses. By making minor credit card payments and then denying them, the criminals were able to obtain free credit.

What’s the point?

What’s the point?

Threat actors gaining access to genuine cloud instances, according to Google, will utilize them to make money. They’d be able to take advantage of unwitting users as a result of this.

Conclusion

Attackers will take advantage of any circumstance to obtain financial and political advantage. Cryptomining has become a lucrative business for hackers, and the threat is particularly severe against cloud instances that have been badly configured. Threat intelligence would be operationalized for optimal cloud configuration and proactive defense against any risks that may arise, allowing organizations to safeguard their cloud platforms..

Leave a Reply