Illicit Coin Mining, Ransomware, APTs Target Cloud Users In First Google Cybersecurity Action Team Threat Horizons Report

A big part of this is to bridge our collective threat intelligence to yield specific insights, such as when malicious hackers exploit improperly-secured cloud instances to download cryptocurrency mining software to the system—sometimes within 22 seconds of being compromised. This is one of several observations that we have published in the first issue of the Threat Horizons report (read the executive summary or the full report.) The report highlights recent observations from the Google Threat Analysis Group (TAG), Google Cloud Security and Trust Center, Google Cloud Threat Intelligence for Chronicle, Trust and Safety, and other internal teams who collectively work to protect our customers and users.

The report’s goal is to provide actionable intelligence that enables organizations to ensure their cloud environments are best protected against ever-evolving threats. In this and future threat intelligence reports, the Google Cybersecurity Action Team will provide threat horizon scanning, trend tracking, and Early Warning announcements about emerging threats requiring immediate action.

While cloud customers continue to face a variety of threats across applications and infrastructure, many successful attacks are due to poor hygiene and a lack of basic control implementation. Most recently, our internal security teams have responded to cryptocurrency mining abuse, phishing campaigns, and ransomware. Given these specific observations and general threats, organizations that put emphasis on secure implementation, monitoring and ongoing assurance will be more successful in mitigating these threats or at the very least reduce their overall impact.

The cloud threat landscape in 2021 was more complex than just rogue cryptocurrency miners, of course. Google researchers from TAG exposed a credential phishing attack by Russian government-supported APT28/Fancy Bear at the end of September that Google successfully blocked; a North Korean government-backed threat group which posed as Samsung recruiters to send malicious attachments to employees at several South Korean anti-malware cybersecurity companies; and detected customer installations infected with Black Matter ransomware (the successor to the DarkSide ransomware family.)

Across these four instances of malicious activity, we see the impact of poorly-secured customer installations. To stop them, we embrace a shared fate model with our customers, and provide trends and lessons learned from recent cybersecurity incidents and close calls. We suggest several concrete actions for customers that will help them manage the risks they face. Vulnerable GCP instances, spear-phishing attacks, patching software, and using public code repositories all come with risks. Following these recommendations can reduce the chance of unexpected financial losses and outcomes that may harm your business:

• Audit published projects to ensure certs and credentials are not accidentally exposed. Certs and credentials are mistakenly included in projects published on GitHub and other repositories on a regular basis. Audits help avoid this mistake.
• Authenticate downloaded code with hashing. The common practice for clients to download updates and code from cloud resources raises the concern that unauthorized code may be downloaded in the process. Meddler in the Middle (MITM) attacks may cause unauthorized source code to be pulled into production. Hashing and verifying all downloads preserves the integrity of the software supply chain and establishes an effective chain of custody.
• Use multiple layers of defense to combat theft of credentials and authentication cookies. Cloud-hosted resources have the benefit of high availability and “anywhere, anytime” access. While this streamlines workforce operations, malicious actors try to take advantage of the ubiquitous nature of the cloud to compromise cloud resources. Despite the growing public attention to cybersecurity, spear-phishing and social engineering tactics are frequently successful, so defensive measures need to be robust and layered to protect cloud resources due to ubiquitous access. In addition to two-factor authentication, Cloud administrators should strengthen their environment through Context-Aware Access and solutions such as BeyondCorp Enterprise and Work Safer.

The executive summary of the Threat Horizons report is available here, and the full report goes into greater detail of the current cloud threat landscape and the steps we recommend to reduce those risks, and can be downloaded here.