Most cloud service hacks done to mine crypto - Google
The Latest ‘Threat Horizon’ report shows hackers targeting the cloud, Russia launching a Gmail phishing campaign, and North Korea posing as Samsung.
Google’s cybersecurity action team report shows that 86% of the latest attempts to hack Google Cloud Platform (GCP) were made to perform cryptocurrency mining.
According to Google, crypto mining software was downloaded within a whopping 22 seconds after an account was compromised.
The report claims that in most cases (75%), poor customer security practices or vulnerable third-party software allowed threat actors to access the cloud.
Weak or no password for user accounts was the most common reason (48%) hackers were able to exploit cloud services.
The report claims that Russian-backed attackers APT28, also known as Fancy Bear, embarked on a large-scale phishing campaign targeting Gmail users.
Hackers targeted around 12,000 accounts with a credential phishing campaign. Interestingly, Fancy Bear tried to mimic Google’s ‘government-backed attacker alerts’ to lure victims into revealing their credentials.
The report claims that highly targeted regions for this particular campaign include the US, UK, and India. Other targeted regions include Canada, Russia, Brazil, and members of the EU.
Last month, Google announced it warned 14,000 Gmail users about a phishing campaign carried out by the same hacking group. This means that the group tried to use the news about the alert to target users once again.
Google, however, claims to have blocked messages by the Fancy Bear, thus preventing any credential compromise.
North Korean endeavors
The report also details how a North Korean government-backed group tried to hack multiple employees at South Korean infosec companies that sell anti-malware solutions.
Threat actors were posing as recruiters from Samsung, looking for potential hires. According to Google, emails included a PDF allegedly claiming to be a job description.
However, the PDFs were malformed and did not open with a standard PDF reader. When targets replied they could not open the job description, attackers responded with a malicious link.
The link directed victims to Google Drive storage with malware on it. Google claims to have blocked the account.
More from CyberNews
Subscribe to our newsletter