Update: Malicious actors gained access to the Google Cloud instances by taking advantage of poor customer security practices or vulnerable third-party software in nearly 75% of all cases. As shown in Table 2, 48% of compromised instances were attributed to actors gaining access to the Internet-facing Cloud instance, which had either no password or a weak password for user accounts or API connections. As a result, these Google Cloud instances could be easily scanned and brute forced. 26% of compromised instances were attributed to vulnerabilities in third-party software, which was installed by the owner.
Google's Cybersecurity Action team has released a report called the "Threat Horizons Executive Snapshot", which details ongoing online threats through trend tracking and other data pools.
The report was included threat intelligence observations from the Threat Analysis Group, Google Cloud Threat, Intelligence for Chronicle, Trust and Safety group, and other internal teams. Cryptocurrency mining abuse was specifically mentioned in the report, with it stating that bad actors were observed mining cryptocurrency within a compromised Cloud instance.
The report states, "Of 50 recently compromised GCP instances, 86% of the compromised Cloud instances were used to perform cryptocurrency mining, a Cloud resource-intensive, for-profit activity. Additionally, 10% of compromised Cloud instances were used to conduct scans of other publicly available resources on the Internet to identify vulnerable systems, and 8% of instances were used to attack other targets.
Adding,"While data theft did not appear to be the objective of these compromises, it remains a risk associated with the cloud asset compromises as bad actors start performing multiple forms of abuse."
Additionally, Google's report indicates that 86% of 50 Google Cloud accounts downloaded cryptocurrency mining software within 22 seconds of the account being compromised. If you are interested in reading more about this story, check out Google's report here.