Google has announced an official warning regarding cryptocurrency miners targeting users with Cloud accounts that can be hacked within twenty-two seconds (22). The specifics of the threat were highlighted by Google in its Threat Horizons Report.
According to Google’s report:
“86% of the compromised Google Cloud instances were used to perform cryptocurrency mining, a cloud resource-intensive for-profit activity…malicious hackers exploit improperly-secured cloud instances to download cryptoc mining application to the system—sometimes within 22 seconds of being compromised.”
According to Google, more than 80% of the hacked cloud accounts are used for mining cryptocurrency by hackers. Mining cryptocurrency requires a lot of computing power, that is why hackers are targeting Google Cloud accounts of customers for this purpose.
Cryptocurrency miners using hacked cloud accounts, Google warns https://t.co/Tl7zWfLXq0
— The Guardian (@guardian) November 25, 2021
According to Google, in the last three quarters, hackers have exploited poor cloud account security by customers or third-party software that are vulnerable to hack accounts. Google recommends its users strengthen cloud security by using two-factor 2FA authentication that offers double security as compared to a generic password.
North Korean and Russian Hacking Attempts in the Past
In the report, Google has also identified threat actors from Russia and North Korea. According to the report, Russian state-backed hackers are sending fake warnings to users that they have been targeted by attackers backed by the government to steal users’ passwords. North Korean threat agents are posing as job recruiters from Samsung and use encrypted in ransomware attacks.
Russian state-backed hackers called APT28, also known as Fancy Bear, have targeted almost 12,000 Gmail accounts in a massive phishing attempt, tricking users into transmitting their login details. They lured targets by sending phishing emails stating: “We believe that government-backed attackers may be trying to trick you to get your account password.”
Google has blocked all phishing emails focusing on the US, UK, and India, and has ensured that no customer data has been compromised.
On the other hand, North Korean government-backed hackers are posing as Samsung company recruiters and sending fake job emails to South Korean cybersecurity employees. Victims are told to click on a suspicious malicious link that loads malware onto their Google Drive. It has been blocked by Google.
According to Google, the hackers are using Black Matter ransomware to infect user accounts. BlackMatter gang has been behind ransomware attacks on Olympus, a tech giant, and New Cooperative Inc. Google also said that identifying these ransomware attacks becomes difficult as they are heavily encrypted. Attackers encrypt user data and it is almost impossible to recover files without paying for the decryption key.
Even though Black Matter allegedly shut down operations earlier this month, Google says that these attacks flag the re-emergence of Black Matter, posing a risk.
Google’s Recommendations for Users
Google has recommended the following to customers to reduce the chances of unexpected financial losses, and account takeovers:
- Audit projects to make sure no credentials or certs are exposed.
- Make sure to authenticate code with hashing before downloading to avoid Meddler in the Middle (MITM) attacks.
- Use 2FA to secure accounts.
