News

Crypto Mining Hackers vs. Cloud Computing—Google States the Obvious

  • Richi Jennings--securityboulevard.com
  • published date: 2021-11-29 00:00:00 UTC

None

<p><strong>Google’s new Cybersecurity Action Team</strong> (CAT) would like you to know that insecure cloud instances can be hijacked by hackers. And the #1 workload they use to steal your CPU time is cryptocurrency mining.</p><p><strong>Stop the press. Did we <i>really</i> need</strong> to be told that? Seems pretty obvious. It’s hardly the first time we’ve heard about thieves creating imaginary money with stolen IaaS compute resources.</p><p><strong>But let’s look closer.</strong> In today’s <a href="https://securityboulevard.com/tag/sb-blogwatch/" target="_blank" rel="noopener">SB Blogwatch</a>, we see if there’s a “there” there.<span id="more-1902320"></span></p><p><a title="Richi Jennings" href="https://www.richi.uk/" target="_blank" rel="noopener">Your humble blogwatcher</a> curated these bloggy bits for your entertainment. Not to mention: <i>Seltsame Fakten zu Deutschland</i>.</p><h2>GCP CAT Fluff</h2><p id="sbbw1"><strong>What’s the craic?</strong> Simon Sharwood says—“<a title="read the full text" href="https://www.theregister.com/2021/11/25/google_cybersecurity_action_team_threat_horizons/" target="_blank" rel="nofollow ugc noopener">Google advises passwords are good, spear phishing is bad, and free clouds get attacked</a>”:</p><p style="padding-left: 40px;"><strong>“<tt>Authentication and security are good ideas</tt>”</strong><br>The report advises that analysis of 50 recently hijacked Google Cloud instances revealed 86 percent were put to work mining cryptocurrency. Crims got in because, in 48 percent of cases, operators didn’t have a password, had a weak password, or didn’t bother authenticating APIs.<br>…<br>Thanks, Google! We’re not sure [we] could have figured out that authentication and security are good ideas. … Perhaps future reports, which are promised to offer “Early Warning announcements about emerging threats requiring immediate action” will prove a little more exciting.<br><br></p><p id="sbbw2"><strong>Is that snark entirely fair?</strong> Scott Chipolina clears away the turkey—“<a title="read the full text" href="https://decrypt.co/86980/hackers-are-breaking-cloud-accounts-mine-crypto-google" target="_blank" rel="nofollow ugc noopener">Hackers Are Breaking into Cloud Accounts to Mine Crypto</a>”:</p><p style="padding-left: 40px;"><strong>“<tt>Obtaining profit</tt>”</strong><br>A Google Threat Horizon Report … published by the Google Cybersecurity Action Team … has raised concerns over hacked cloud accounts being used to mine cryptocurrency. … According to the report, the two common goals behind this activity involve “obtaining profit” and “traffic pumping.”<br><br></p><p id="sbbw3"><strong>O RLY?</strong> Dan Milmo adds leftover cranberries—“<a title="read the full text" href="https://www.theguardian.com/technology/2021/nov/25/cryptocurrency-miner-hacked-google-cloud-account-cybersecurity-action-team-threat-horizon-report" target="_blank" rel="nofollow ugc noopener">Cryptocurrency miners using hacked cloud accounts, Google warns</a>”:</p><p style="padding-left: 40px;"><strong>“<tt>Poor customer security</tt>”</strong><br>“Mining” is the name for the process by which blockchains such as those that underpin cryptocurrencies are regulated and verified, and requires a significant amount of computing power. … In the majority of cases the cryptocurrency mining software was downloaded within 22 seconds of the account being compromised.<br><br>Google said that in three-quarters of the cloud hacks the attackers had taken advantage of poor customer security or vulnerable third-party software. Google’s recommendations to its cloud customers to improve their security include two-factor authentication – an extra layer of security on top of a generic user name and password – and signing up to the company’s work safer security programme.<br><br></p><p id="sbbw4"><strong>What can be done?</strong> Google’s CAT suggests these “<a title="read the full text" href="https://services.google.com/fh/files/misc/gcat_threathorizons_brief_nov2021.pdf" target="_blank" rel="nofollow ugc noopener">Countermeasures</a>”:</p><ul><li style="list-style-type: none;"><ul style="padding-left: 40px;"><li>Follow password best practices and best practices for configuring Cloud environments.</li><li>Update third-party software prior to a Cloud instance being exposed to the web.</li><li>Avoid publishing credentials in GitHub projects. …</li><li>Use service accounts … to authenticate apps instead of using user credentials. …</li><li>Use predefined configurations … to reduce misconfigurations.</li><li>Set up conditional alerts … to send alerts upon high resource consumption.</li><li>Enforce and monitor password requirements for users.</li></ul></li></ul><p></p><p id="sbbw5"><strong>That second bullet reminds</strong> <a title="read the full text" href="https://www.reddit.com/r/technology/comments/r3ew73/comment/hmdanbk/?utm_source=reddit&amp;utm_medium=web2x&amp;context=3" target="_blank" rel="nofollow ugc noopener">u/thecoller</a> of some former cow-orkers:</p><p style="padding-left: 40px;"><strong>“<tt>Total idiots</tt>”</strong><br>Had a team in my previous job list a repo as public by mistake and leave some AWS credentials in a file. Not even an hour later massive EC2 instances had been launched triggering billing alarms. If the miners hadn’t been total idiots they would have gone with many smaller ones and not raised suspicion for weeks.<br><br></p><p id="sbbw7"><strong>But it’s all a bit heavy on the</strong> victim blaming, don’cha’fink? <a title="read the full text" href="https://forums.theregister.com/forum/all/2021/11/25/google_cybersecurity_action_team_threat_horizons/#c_4372772" target="_blank" rel="nofollow ugc noopener">Kevin McMurtrie</a> does:</p><p style="padding-left: 40px;"><strong>“<tt>Google says everyone else needs to do better</tt>”</strong><br>Is this a joke? Does Google even have a working means of reporting Gmail phishing, GCP hosted hacking and fake stores, Trojan horse Play Store apps, Google Calendar hacks, Google Photos hacks, Google Groups scammers, [etc.]?<br><br>No. If it hurts competitors more than Google, Google says everyone else needs to do better.<br><br></p><p id="sbbw6"><strong>Is this news?</strong> <a title="read the full text" href="https://www.reddit.com/r/technology/comments/r3ew73/comment/hmcsm70/?utm_source=reddit&amp;utm_medium=web2x&amp;context=3" target="_blank" rel="nofollow ugc noopener">u/blooping_blooper</a> thinks not:</p><p style="padding-left: 40px;">This is hardly new – people have been hacking AWS and Azure accounts for years to run miners, usually through leaked credentials.<br><br></p><p id="sbbw10"><strong>Going further,</strong> here’s <a title="read the full text" href="https://news.slashdot.org/comments.pl?sid=20311277&amp;cid=62029211" target="_blank" rel="nofollow ugc noopener">bradley13</a>:</p><p style="padding-left: 40px;"><strong>“<tt>The first measures</tt>”</strong><br>Not news. This has been going on for years. Have an AWS or Azure account with lousy security? It won’t be long before someone has hacked it, either to run mining or to add it to a botnet.<br>…<br>If you put up a cloud server on any of these services, and don’t restrict the IP ranges for things like SSH access, you will be absolutely bombarded with hacking attempts. One of the first measures you <em>must</em> take, preferably in advance of booting the server, is to restrict SSH and RDP to only the addresses that you actually use.<br><br></p><p id="sbbw9"><strong>Wait. <em>Pause.</em></strong> <a title="read the full text" href="https://forums.theregister.com/forum/all/2021/11/25/google_cybersecurity_action_team_threat_horizons/#c_4373135" target="_blank" rel="nofollow ugc noopener">fredblogggs</a> sees both sides:</p><p style="padding-left: 40px;"><strong>“<tt>The supply side of crime</tt>”</strong><br>Of course all this is dreadfully obvious. And equally obvious is that fact that despite having been able to read exactly the same advice from every imaginable source for the past decade or more, people still don’t bother to take even the simplest … precautions.<br>…<br>For the rest of us who might have welcomed a serious threat intelligence report, Google are more likely to be included in the threat model than the solution space. As the saying goes, they’re more on the supply side of crime.<br><br></p><p id="sbbw12"><strong>Meanwhile,</strong> a slightly sarcastic <a title="read the full text" href="https://www.reddit.com/r/technology/comments/r3ew73/comment/hmcst61/?utm_source=reddit&amp;utm_medium=web2x&amp;context=3" target="_blank" rel="nofollow ugc noopener">u/panda4sleep</a> has had enough of imaginary money:</p><p style="padding-left: 40px;">bUt iT’s a LeGit CurRenCy.<br><br></p><p><b><a title="And Finally" href="https://www.youtube.com/watch?v=Fti6j8aU66M&amp;list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj" target="_blank" rel="noopener">Actually not clickbait</a></b></p><p><a href="https://www.youtube.com/playlist?list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj" target="_blank" rel="noopener">Previously in <em>And Finally</em></a></p><hr><p><em>You have been reading <i>SB Blogwatch</i> by <a href="https://www.richi.uk/" target="_blank" rel="noopener">Richi Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to <a href="https://twitter.com/richi" target="_blank" rel="noopener">@RiCHi</a> or <a href="/cdn-cgi/l/email-protection#b2c1d0d0c5f2c0dbd1dadb9cd1dd9cc7d98dc1c7d0d8d7d1c68f9fc1d0d0c59f"><span class="__cf_email__" data-cfemail="b5c6d7d7c2f5c7dcd6dddc9bc0de">[email protected]</span></a>. Ask your doctor before reading. Your mileage may vary. E&amp;OE. 30.</em></p><p>Image sauce: <a href="https://unsplash.com/photos/1HEDPbH6HIE" target="_blank" rel="noopener">Dominik Vanyi</a> (via <a title="Some rights reserved" href="https://unsplash.com/license" target="_blank" rel="noopener">Unsplash</a>)</p>