Compromised Google Cloud Platform instances are riddled with cryptominers

Stocks for the most well-known cryptocurrencies
(Image credit: Shutterstock)

Google Cloud has revealed that 86% of compromised Google Cloud Platform (GCP) instances in 2021 led to cryptocurrency miners being dropped into customers' environments.

Cryptocurrency miners being installed in cloud instances was the leading issue facing GCP customers this year with 58% of compromised instances having cryptominers installed within just 22 seconds of attackers gaining access.

Google Cloud's Cybersecurity Action Team (CAT) said this led it to believe the process was script-driven without requiring human intervention.

GCP customers were targeted heavily with attackers attempting to leverage the high levels of compute available to them, without having to foot the bill.

Google Cloud also revealed cloud instances have been compromised in as little as 30 minutes, with the majority taking just eight hours.

The CAT at Google's cloud arm noticed attackers are monitoring the public IP address space for signs of unsecured GCP instances, knowing how quickly they can compromise each one.

"Given that most instances were used for cryptocurrency mining rather than exfiltration of data, Google analysts concluded the Google Cloud IP address range was scanned rather than particular Google Cloud customers being targeted," the report read.

"The amount of time from the launch of a vulnerable Google Cloud instance until compromise varied with the shortest amount of time being under 30 minutes."


2021 Thales cloud security study

The challenges of cloud data protection and access management in a hybrid and multi cloud world


CAT researchers also noted that threat actors gained access to GCP instances through exploiting poor customer security practices or vulnerable third-party software in almost 75% of all cases.

Half of these cases were compromised because of attackers exploiting instances with weak or in some cases no passwords for user accounts or API connections.

This meant unsecured GCP instances could quite easily be scanned by attackers and brute-forced with minimal difficulty.

Google Cloud customers were also at fault in 26% of cases for installing third-party software in their instance which was then exploited to gain access.

Google Cloud's basic recommended mitigations to the flaws allowing attackers into GCP instances include ensuring accounts always have strong passwords, updating third-party software before a cloud instance being exposed to the web, and not publishing credentials in GitHub projects.

Container Analysis is also available to GCP customers to perform vulnerability scanning and metadata storage for containers, while the Web Security Scanner in the Security Command Center can identify security vulnerabilities in their App Engine, Google Kubernetes Engine, and Compute Engine web applications.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.