Threat actors are actively exploiting a misconfigured Google Cloud Platform (GCP) infrastructure to mine cryptocurrency. Google’s recent threat horizon report detailed that out of 50 recently compromised GCP instances, 86% were used for crypto mining.
Statistics show that 48% of intrusions were the result of poor password hygiene and or insecure API configurations. However, 26% were found to be the result of vulnerabilities in third-party dependencies and 4% were the result of credentials leaked in Git projects.
Additionally, threat actors are abusing GCP instances in ransomware attacks, staging phishing campaigns and even generating traffic to specific YouTube videos to manipulate statistics.
The following is an inexhaustive list of consequences, as a result, of a compromised GCP environment:
- Financial damages: IBM found that the average cost of a data breach in 2021 was 4.24 million USD
- Reputational damage
- Potential legal repercussions
Further compromise and attacks e.g. ransomware
Below are some recommendations to help the security posture a cloud environment, along with some references for further reading.
- Implement robust Identity Access Management (IAM). Use a least-privileged approach and ensure that privileges are aligned with job role functionality. Apply policies across the organisation to ensure coverage
- Have visibility over your assets, this can be achieved using your cloud platforms command centre
- Ensure there are no hardcoded credentials or API keys in development projects
For information on the Google Cloud Platform misconfiguration and cloud security best practices, please see the links below:
- Google Threat Horizon report
- GCP Best security practices centre
- GCP Security checklist for medium and large enterprises
- CIS GCP Foundation Benchmark (NIST)
- IBM data breach report 2021