Cyber attackers are abusing Google Cloud Platform (GCP) instances with a lack of security to download cryptocurrency mining software to infected systems, as well as manipulating its infrastructure to set up a ransomware, phase phishing initiatives, and even push visitors to YouTube videos to manipulate view counts.
“While cloud clients remain to confront a range of attacks throughout apps and infrastructure,” Google’s Cybersecurity Action Team (CAT) wrote in its recent Threat Horizons study. “Most effective assaults are attributable to terrible hygiene and a lack of fundamental control deployment.”
86 percent of the 50 recently affected GCP instances were employed to mine cryptocurrency, in certain instances within 22 seconds of the effective cyberattack, while 10% of the instances were adopted to scan those certain openly available servers on the Web for vulnerable devices, and 8% of the instances were utilized to attack other organizations.
The malware was hosted on around 6% of GCP instances.The usage of insecure or no passwords for user profiles or API connections (48 percent), weaknesses in third-party software deployed on cloud instances (26 percent), and credential breaches in GitHub projects were all blamed for unauthorized entry (4 percent ).
Another notable threat was APT28’s Gmail phishing initiative, which engaged in mailing an email blast to more than 12,000 customer accounts largely in the United States, United Kingdom, India, Canada, Russia, Brazil, and the European Union countries to grab their login details.
Additionally, Google CAT revealed that it has detected opponents exploiting free Cloud credits by impersonating bogus firms and employing experimental projects to push flow to YouTube. In a different case, a North Korean-based hacker gang pretended to be Samsung recruiters and sent bogus job proposals to the staff of many South Korean information security firms that offer anti-malware solutions.
The emails contained a PDF that purported to be a job specification for a position at Samsung, but the PDFs were “malformed and won’t load in a typical PDF reader,” according to the experts. Once victims said they couldn’t access the job specification, threat actors sent them an infected attachment to malware posing as a ‘Secured PDF Reader’ in Google Drive, which has presently been disabled.
Google disclosed that the attempts were made by a same malicious attacker that targeted security researchers and developers previously this year to gain vulnerabilities and execute attacks on weak targets.