Hackers Mine Cryptocurrency
Threat actors are exploiting improperly-secured Google Cloud Platform (GCP) instances to download cryptocurrency mining software to the compromised systems as well as abusing its infrastructure to install ransomware, stage phishing campaigns, and even generate traffic to YouTube videos for view count manipulation.
“While cloud customers continue to face a variety of threats across applications and infrastructure, many successful attacks are due to poor hygiene and a lack of basic control implementation,”
Google Cybersecurity Action Team
Of the 50 recently compromised GCP instances, 86% of them were used to conduct cryptocurrency mining, in some cases within 22 seconds of a successful breach, while 10% of the instances were exploited to perform scans of other publicly accessible hosts on the Internet to identify vulnerable systems, and 8% of the instances were used to strike other entities. About 6% of the GCP instances were used to host malware.
Another attack of note was a Gmail phishing campaign launched by APT28 (aka Fancy Bear) towards the end of September 2021 that involved sending an email blast to over 12,000 account holders primarily in the U.S., U.K., India, Canada, Russia, Brazil, and the E.U. nations with the goal of stealing their credentials.
Furthermore, Google CAT said it observed adversaries abusing free Cloud credits by using trial projects and posing as fake startups to engage in traffic pumping to YouTube. In a separate incident, a North Korean government-backed attacker group masqueraded as Samsung recruiters to send fake job opportunities to employees at several South Korean information security companies that sell anti-malware solutions.
Google connected the attacks to the same threat actor that previously set its sights on security professionals working on vulnerability research and development earlier this year to steal exploits and stage further attacks on vulnerable targets of their choice.
Hackers Mine Cryptocurrency
