86% of hacks in Google Cloud were used for illegal crypto mining
Many successful attacks on the cloud infrastructure are due to poor cybersecurity measures and a lack of control implementations. Without robust protection, cloud services can become easy targets for hackers to launch various cyberattacks.
According to the data presented by the Atlas VPN team, 86% of hacked Google Cloud accounts are used for illegal crypto mining. In addition, most instances of compromise in Google Cloud are due to weak or no password for the user account.
The data is based on Google’s Cybersecurity Action Team report about cloud threat intelligence. The first issue of Threat Horizons report from the Threat Analysis Group (TAG), Google Cloud Threat Intelligence for Chronicle, Trust and Safety, and other teams.
Hackers conducted cryptocurrency mining 86% of the time after gaining access to a Google Cloud account. Cryptocurrency mining is a for-profit activity, which consumes a large amount of GPU and CPU resources. By employing miners on victims’ computers, cybercriminals can generate a lot of profit continuously.
Conducting port scanning of other targets on the Internet occurred 10% of the time after Google Cloud compromised instance. Port scanning allows discovering whether ports on the network are open and could receive or send data. It enables cybercriminals to identify weak spots in the network and exploit found vulnerabilities.
Hackers launched attacks against other targets on the internet 8% of the time following a Google Cloud account hack. Hosting malware on the cloud was the goal of 6% of cybercriminals. While hosting unauthorized content on the internet occurred 4% of the time after compromise in Google Cloud.
Launching DDoS bot and sending spam were the least used attack methods resulting in a 2% share.
Most exploited vulnerabilities
While trying to deliver a cyberattack, cybercriminals always search for the simplest way to compromise their target. Some exploitations may require higher skill requirements, however, others could be as simple as applying the correct password.
Weak or no password for a user account or no authentication for APIs caused 48% of the Google Cloud hacks. It indicates that users could have avoided compromising their accounts if they had set up a stronger password. Allowing anyone to access Google Cloud without any authentication makes cybercriminal jobs even more effortless.
Hackers exploited a vulnerability in third-party software in the Cloud instance in 26% of cases. If the hacks exploited a zero-day vulnerability, the fault could be attributed to the software developers not releasing an update. However, if a patch was released, responsibility for the compromise falls to the user not updating the software in time.
Misconfiguration of Cloud instance or in third-party software allowed 12% of hacks in Google Cloud. Any mistakes, malfunctions, or gaps in your infrastructure that put you at risk are known as misconfiguration. Data breaches, cloud breaches, insider threats, and bad external actors using weaknesses to get access to your network are all examples of such security risks.
Other issues caused 12% of compromises in the Google Cloud. While leaked credentials, such as keys published in GitHub projects, were exploited in 4% of attacks.
The advantages of cloud-hosted resources include high availability and access at any time. While this simplifies workforce operations, hackers may exploit the cloud's pervasive nature for their benefit. Despite the increased interest in cybersecurity, spear-phishing and social engineering attacks are still very effective.