The recently launched Google Cybersecurity Action Team (GCAT) provided specific insights, such as when malicious hackers exploit improperly-secured cloud instances to download cryptocurrency mining software to the system—sometimes within 22 seconds of being compromised.
This is one of several observations that were published in the first issue of the Threat Horizons report.
More observations made by the GCAT
More observations made by the Google Cybersecurity Action Team include:
Compromised GCP instances
Malicious actors were observed performing cryptocurrency mining within compromised Cloud instances.
Of 50 recently compromised GCP instances, 86% of the compromised Cloud instances were used to perform cryptocurrency mining.
Additionally, 10% of compromised Cloud instances were used to conduct scans of other publicly available resources on the Internet to identify vulnerable systems, and 8% of instances were used to hack the targets.
While data the did not appear to be the objective of these compromises, it remains a risk associated with the cloud asset compromises as bad actors start performing multiple forms of abuse.
Gmail Phishing Campaigns
Based on the research from Google’s Threat Analysis Group (TAG), the Russian government-backed attackers ATP28 / Fancy Bear, were observed at the end of September sending a large scale attack to around 12k Gmail accounts in a credential phishing campaign. Google blocked these messages and no users were compromised.
Google Cloud Resources Abuse
TAG observed a group of attackers abusing Google Cloud resources to generate traffic to YouTube for view count manipulation. They also used various approaches to gain free Cloud credits.
Upon detection and enforcement by Google’s Cloud abuse team, the attackers switched to Qwiklab projects and the Cloud abuse team pivoted to counter this offensive.
North Korea Actors Impersonate Employment Recruiters
TAG observed a North Korean government-backed attacker group that has previously targeted security researchers posing as Samsung recruiters and sending fake job opportunities to employees at multiple South Korean information security companies that sell anti-malware solutions.
These mails included a PDF allegedly claiming to be of a job description for a role at Samsung.
However, the PDFs were malformed and did not open in a standard PDF reader.
When targets replied that they could not open the job description, attackers responded with a malicious link to malware purporting to be a “Secure PDF Reader” stored in Google Drive which has now been blocked.
Black Matter ransomware rises out of DarkSide
Black Matter is one of many ransomware families currently being used to extort money from victims by locking their files using encryption. However, ransomware does not transfer files off the network as its ransom note claims.
Evidence suggests Black Matter is the immediate offspring of DarkSide.
Black Matter is capable of encrypting files on a victim’s hard drive and network shares in a relatively short period of time by distributing the workload across multiple threads.
How to Counter these Threats
Follow password best practices and Cloud configuration best practices.
Update third-party software prior to a Cloud instance being exposed to the web.
Do not publish credentials in Github projects.
Use container analysis to perform vulnerability scanning and metadata storage.
Leverage Web Security Scanner in the Security Command Center to identify security vulnerabilities in App Engine, Google Kubernetes Engine, and Compute Engine.
Use service accounts with Compute Engine to authenticate apps instead of using user credentials. Implement Policy Intelligence tools to help understand and manage policies. Use predefined configurations through Assured Workloads to reduce misconfigurations. Setup conditional alerts in the Cloud Console to send alerts upon high resource consumption. Enforce and monitor password requirements for users through the Google Admin console.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.
