Google Analyzes Methods Behind GCP Workload Attacks

The vast majority of cloud workload compromises stem from poor security configurations or compromised passwords, while cryptojacking is the common payload, research shows.

3 Min Read
Chart showing statistics regarding cryptocurrency mining abuse
Most attacks leading to cryptocurrency mining abuse take less than 22 seconds from initial compromise to install.Source: Google Cloud

Automated scanning, improved attack tools, and new ways to monetize compromises have turned cloud workloads and server instances into prime attack targets, Google Cloud stated in its inaugural "Threat Horizons" report, published Nov. 23.

These vectors are not new, but they prove consistently effective among attackers. Google Cloud's report found intruders focused on misconfigurations, poor customer security practices, and vulnerable third-party software to compromise nearly 75% of instances. The data comes from its analysis of 50 recently compromised Google Cloud Platform (GCP) instances, in which 48% had weak — or no — passwords, 26% had a vulnerability in third-party software, and 12% were compromised via misconfiguration.

All of these threats are well understood but remain effective ways to compromise systems due to human error, Bob Mechler, director in the office of the CISO at Google Cloud, wrote in a blog post.

"While cloud customers continue to face a variety of threats across applications and infrastructure, many successful attacks are due to poor hygiene and a lack of basic control implementation," he wrote, along with Google Cloud's security editor, Seth Rosenblatt. "Given these specific observations and general threats, organizations that put emphasis on secure implementation, monitoring and ongoing assurance will be more successful in mitigating these threats or at the very least reduce their overall impact."

The combination of misconfigured cloud instances and automated attacks meant the owners of cloud workloads had little time to shore up defenses. In 40% of instances, the compromise happened in less than eight hours; in at least one case, in as little as 30 minutes.

Attackers commonly monetize compromises using cryptocurrency mining software or ransomware, and often attempt to gather credentials via phishing attacks to extend their control over compromised computers and services. The most common way for attackers to utilize a compromised instance on Google Cloud Platform (GCP) was to install cryptocurrency mining software, which happened in 86% of instances following a compromise.

The payload delivery also happened very fast — more than half of compromised instances had cryptomining software delivered in under 30 seconds, according to the report.

"This suggests that the initial attacks and subsequent downloads were scripted events not requiring human intervention," Google Cloud stated in the report. "The ability to manually intervene in these situations to prevent exploitation is nearly impossible. The best defense would be to not deploy a vulnerable system or have automated response mechanisms."

In another 10% of cases, the attackers used the compromised instance to scan the Internet for other vulnerable targets, the company stated in its report.

The report brings together data and insights from a host of internal Google teams, including the Google Threat Analysis Group (TAG), Google Cloud Security and Trust Center, and Google Cloud Threat Intelligence for Chronicle, Trust and Safety.

These threat intelligence and security groups also discovered an operation launched by the Russian government-backed Fancy Bear group, also known as APT28, which used more than 12,000 Gmail accounts in a phishing campaign that attempted to gather Google account credentials from targeted users. Because the group used a major provider, the phishing messages passed the anti-spam security check, Sender Policy Framework (SPF)

The attacks most heavily targeted the United States, United Kingdom, and India, but also targeted other nations, including Brazil, Canada, many European Union countries, and Russia.

Google recommended companies focus on ensuring that deployed software and workloads are configured with strong security. In addition to commonsense security measures, such as two-factor authentication and regular automated scanning of the Web application, companies need to have tools in place to prevent the accidental exposure of passwords, keys, and certificates when publishing code. Any third-party code used in an application should be vetted and be hashed as an integrity check. And companies should recognize that the benefits of the cloud come with some caveats, the report stated.

"Despite the growing public attention to cybersecurity, spear-phishing and social engineering tactics are frequently successful," Google stated in the report. "As for other forms of IT security, defensive measures need to be robust and layered to protect cloud resources due to ubiquitous access."

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights