Attackers exploit improperly protected Google Cloud Platform (GCP) instances to download cryptocurrency mining software to compromised systems, exploit their infrastructure to install ransomware, and phishing campaigns. We are generating traffic to YouTube videos to stage and even manipulate views.

“Cloud customers continue to face a variety of threats across applications and infrastructure, but many successful attacks are due to unsanitary conditions and lack of implementation of basic controls,” Google’s cybersecurity said. The Action Team (CAT) outlines it as part of a recently published Threat Horizons report. last week.

Of the 50 recently compromised GCP instances, 86% were used to perform cryptocurrency mining, in some cases within 22 seconds of a successful compromise, and 10% of the instances were abused on the Internet. It was a vulnerable system identified by performing a scan of other publicly accessible hosts, and 8% of its instances were used to attack other entities. About 6% of GCP instances were used to host malware.

In most cases, unauthorized access is weak against user accounts or API connections or does not use passwords at all (48%), vulnerabilities in third-party software installed on cloud instances (26%), and on GitHub. The cause was a leak of credentials. Project (4%).

Another notable attack is the Gmail phishing campaign launched by APT28 (aka Fancy Bear) at the end of September 2021 to steal primarily US, UK, India, Canada, Russia, Brazil, and credentials. Targeted EU countries.

In addition, Google CAT said it used a trial project to abuse free cloud credits and observed enemies pretending to be fake startups and increasing traffic to YouTube. In another case, a group of attackers backed by the North Korean government impersonated Samsung recruiters and sent fake employment opportunities to employees of several South Korean information security companies selling anti-malware solutions.

“The email contained a PDF that claimed to be a job description for the role at Samsung, but the PDF was not in the correct format and couldn’t be opened in a standard PDF reader,” the researchers said. I am saying. “When the target replies that it cannot open the job description, the attacker responds with a malicious link to malware disguised as a” secure PDF reader “stored in Google Drive, which is currently blocked. Did. “

Google has linked its attacks to the same threat actors that targeted security experts working on vulnerability research and development earlier this year, stealing exploits and launching further attacks against selected vulnerable targets. rice field.

“Cloud-hosted resources have the advantages of high availability and access’anytime, anywhere’,” says Google CAT. “Cloud-hosted resources streamline employees’ operations, but malicious individuals can take advantage of the ubiquitous nature of the cloud to endanger cloud resources. Public attention to cybersecurity Despite the rise, spear phishing and social engineering tactics are often successful. “

