Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Cloud Google The Almighty Buck

'Malicious Actors' are Compromising Google Cloud Accounts, Installing Cryptocurrency Miners (cnbc.com) 26

CNBC reports: Cryptocurrency miners are using compromised Google Cloud accounts for computationally-intensive mining purposes, Google has warned. The search giant's cybersecurity team provided details in a report published Wednesday. The so-called "Threat Horizons" report aims to provide intelligence that allows organizations to keep their cloud environments secure. "Malicious actors were observed performing cryptocurrency mining within compromised Cloud instances," Google wrote in an executive summary of the report...

Google said 86% of 50 recently compromised Google Cloud accounts were used to perform cryptocurrency mining. In the majority of cases, cryptocurrency mining software was downloaded within 22 seconds of the account being compromised, Google said.

This discussion has been archived. No new comments can be posted.

'Malicious Actors' are Compromising Google Cloud Accounts, Installing Cryptocurrency Miners

Comments Filter:
  • will gpc refund the bill for the usage?

    • by Luthair ( 847766 )
      Its not likely a security issue on Google's (or other cloud customers) end, this is likely an issue with security within the organizations.
    • Comment removed based on user account deletion
      • It's your responsibility to keep your account credentials safe and if they get compromised, that's on you.

        I find it endlessly amusing how the cloud* computing goalposts are shifting (as many of us predicted they would). In the beginning, cloud* computing was going to lift the burden of security off the shoulders of the helpless, and put them onto the broad shoulders of security professionals in the cloud*. Now that the professional claws have attached to the customers, and the customers are becoming dependent on their cloud* providers (again, as predicted), it is now becoming the customer's responsibility to se

    • It depends on what was hacked. If an "instance" is hacked then the bill does not go up as your "usage" is not based on CPU cycles. I also doubt that a cryo hack would transfer that much data.

      If your admin console or access certs were hacked and they could spin up more compute instances, then your bill could skyrocket.

      I suspect the more likely hack is the case of a existing running instances getting broken into. In this case, a crypto hack is actually less damage than someone after your data. It might ev

  • non organizations accoutns can use GPC as well.
    And basic gmail accounts can't use all of the paid stuff on the login side.

  • If malicious actors are doing illegal things, why don't they go down to the theater and round them up?

    • They're not theater actors, though they started out that way.
    • Nicholas and Steven according to the bofh.
      https://www.theregister.com/20... [theregister.com]

    • by AmiMoJo ( 196126 )

      What's interesting is how they bypassed Google's fairly tight security. It seems that in this case they used spear fishing to steal cookies from admins, taking over their sessions. The compromise was of the local machine.

      There has been some discussion of what, if anything, can be done about this in Firefox. Presumably Google is working on it for Chrome as well. It's hard to encrypt the cookies in a way that prevents someone with local access compromising them, at least on Windows.

    • by gweihir ( 88907 )

      If malicious actors are doing illegal things, why don't they go down to the theater and round them up?

      Well, if they could find them, they would. But as "the cloud" does not have a perimeter worth anything, anybody can get in and you never really know where they come from. Looks like the "cheap" cloud just got a lot more expensive.

    • by Bongo ( 13261 )

      If malicious actors are doing illegal things, why don't they go down to the theater and round them up?

      Because the 0.3 who get away will cause worse trouble.

  • by bradley13 ( 1118935 ) on Monday November 29, 2021 @04:44AM (#62029211) Homepage

    This has been going on for years. Have an AWS or Azure account with lousy security? It won't be long before someone has hacked it, either to run mining or to add it to a botnet.

    For anyone who hasn't had the experience: If you put up a cloud server on any of these services, and don't restrict the IP ranges for things like SSH access, you will be absolutely bombarded with hacking attempts. One of the first measures you *must* take, preferably in advance of booting the server, is to restrict SSH and RDP to only the addresses that you actually use.

    • by AmiMoJo ( 196126 )

      Reading TFA it seems that the method of compromise was malware on the admin's PC stealing their cookies, so that the attacker could take over their session. The servers themselves were fine.

      I suppose the same method would work with SSH keys too.

      Restricting to certain IP addresses can be helpful, but an even better option is to not allow incoming connections at all from the internet. Instead have the server connect via VPN to a special internal network at your organization, and only accept connections from t

  • This is probably why I want the apps I use to be reviewed and tested by the developers. I know that many companies offer qa automation services [inoxoft.com] which is really great because we need stable apps and software which are still not that many on the market. I hope that soon every developer and customer will check applications for stability and security.
  • Seems vapor begets more vapor or rather hot air in this case. It is an interesting attack scenario though.

  • Comment removed based on user account deletion
  • For Interserver.Net ISP/VPS provider, they too were hit with drive-by installation of Linux miner programs.

    My Single-CPU 500MB RAM VPS was overtaken by a BBP miner too. Its miner is built with gcc on a Alpine 9.3.0. Digging for four-thread Monero and communicating via Argon2 crypto channel.

    The invasive vector was the poor security of VNC portal for their customers. I cannot clear the miner often yet these hackers would repeatedly circumvent the account-based 'user-picks-the-source-IP' for allowing incomi

    • I practice OSSEC, CISecurity and deploy SELinux with some GRsecurity and Whonix hardening. My VPS log server is sent back to my home. So, there is nothing amiss going on with my side of the coin.

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...