86% of the compromised Google Cloud instances were used to perform cryptocurrency mining

Google recently released the latest Threat Horizon report, which shows that most of the instances where Google’s cloud computing platform has been hacked are used to mine cryptocurrencies.

According to the report, 86% of the 50 Google Cloud instances recently attacked were used to perform cryptocurrency mining. Hackers would cash out the cryptocurrency and users may have to pay bills.

Google Cloud Computing Platform will publish a Threat Horizon report at the end of each month, in which instances of cloud servers are the target of hackers’ attention on various cloud computing platforms.

In the past, most of the servers that were hacked in the entire market were implanted with backdoor programs and then received instructions from hackers to form a botnet to launch DDoS traffic attacks.

It is surprising that the percentage of hacked servers used for mining is so high, but for hackers, mining is indeed the fastest and most effective way to monetize.

Because the mining program can be started immediately after deploying the mining program through the automated program, the actual mining revenue depends on the instance configuration and the entire mining time.

This is much more efficient than forming a botnet and selling traffic bots on the dark web. Of course, many malware samples may be mining while also doing attacks.

The data shows that 48% of the hacked instances used weak passwords or even no passwords. Some user-deployed interfaces were not authenticated and were hacked by attackers.

26% of the hacked instances are caused by user-installed third-party software vulnerabilities, which also shows that regular software updates and upgrades are actually very important things.

Google believes that many attacks are scripted and automated without manual intervention because more than half of the mining software will be installed and deployed within 22 seconds after being hacked.

Obviously, it is impossible to be so fast if it is manually operated by a hacker. Of course, automated script scanning and searching for vulnerable servers are used.

In some cases, 4% of the cases were hacked when users accidentally posted their passwords to Github. This situation is indeed common now that users should carefully check public documents.

There have been many times that developers have published passwords or key keys along with documents, and hackers have also used automated scripts to scan for passwords and so on.