Google’s November 2021 Threat Horizons report has revealed that a large number of Google Cloud instances that get hacked are used to mine cryptocurrency. It revealed that as many as 86% of 50 recently compromised Google Cloud instances were being used to perform cryptocurrency mining; while the hacker gets to walk away with any crypto they mine, the victim of the attack is left footing the bill for the usage.
Giving the most common reasons for how the breach took place, Google said 48% of instances had weak or no passwords for user accounts or no authentication for APIs, 26% of incidents happened due to a vulnerability in third-party software in the Cloud instance, 12% was attributed to ‘other issues’, another 12% was due to the misconfiguration of Cloud instances or in third-party software, and just 4% of hacks were the result of leaked credentials such as keys posted to GitHub.
Google believes that many of the attacks were scripted and didn’t require human intervention because, in 58% of situations, it noticed that mining software had been downloaded to the instances within 22 seconds of being compromised. It said that responding manually to scripts is next to impossible so users should ensure their system is not vulnerable or have automated systems in place to stop the attack.
In most cases, victims are not specifically chosen by hackers, instead, they scan Google Cloud IPs and look for any vulnerable systems. Google said that insecure instances can be targeted in as little as 30 minutes so it’s very important that you follow the best practices.
Aside from following Google’s best practices, you should ensure your accounts always have strong passwords, keep third-party software updated before allowing the instance to be exposed to the web, and you should also be careful not to expose credentials on GitHub.