Google Cloud adds cryptomining protection following widespread exploitation

Google Cloud logo on a wooden background with pedestrians walking on a street in front of it
(Image credit: Getty Images)

Google Cloud has launched a new threat detection solution for Google Cloud Platform (GCP) specifically designed to tackle the mounting cases of cryptomining malware operating through compromised cloud instances.

Google Cloud said the Virtual Machine Threat Detection (VMTD) is a first-to-market solution from a major cloud provider, now available in public preview as an added security layer within Security Command Center (SCC) Premium.

Virtual machine-based computing accounts for a significant portion of businesses' operations running in the cloud and according to a November 2021 threat intelligence report from Google Cloud, cryptomining activity was observed in 86% of all compromised GCP instances, making it the leading issue affecting Google Cloud customers.

The time it took for attackers to install this financially-motivated malware was quick, too, with more than half of cases (58%) seeing malware installed within just 22 seconds of compromising the platform.

Google Cloud said in most cases, this was due to exploitation of poor customer security practices or vulnerable third-party software. Leveraging the power of cloud computing can improve the efficiency of cryptomining malware due to its scalable nature, potentially raising monthly cloud bills for businesses by a large sum.

"The economy of scale enabled by the cloud can help fundamentally change the way security is executed for any business operating in today’s threat landscape," said Timothy Peacock, product manager at Google Cloud. "As more companies adopt cloud technologies, security solutions built into cloud platforms help address emerging threats for more and more organisations.


Secure hybrid cloud for dummies

Accelerate transformation with hybrid cloud


"VMTD is one of the ways we protect our Google Cloud Platform customers against growing attacks like coin mining, data exfiltration, and ransomware," he added.

Now available in public preview, VMTD detects cryptomining attacks but as it moves closer towards general availability, Google Cloud said customers can expect to see a steady release of new detective capabilities that will integrate with other parts of GCP.

Google Cloud said VMTD complements the existing threat detection capabilities supplied by the existing Event Threat Detection and Container Threat Detection products, providing cover for compute while the others services areas like Kubernetes, identity, managed services, networking, and API.

Agentless approach

A diagram of how Google Cloud's VMTD works on a technical level

(Image credit: Google Cloud)

Google Cloud's VMTD provides memory scanning for customers on an agentless basis, which means GCP users can expect a smaller performance impact, lowered operational burden, and a less-exposed attack surface.

This is unlike a traditional endpoint security model which involves running additional software inside virtual machines to gather signals and telemetry. Instead, Google Cloud said it 'instruments the hypervisor' - the underlying software that "orchestrates" its virtual machines - to include threat detection that's difficult to tamper with.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.