Google analysis: Cloud services can be attacked by weak passwords

The provider’s security departments analyzed 50 recently compromised instances of the Google Cloud Platform. The results are now available as a report and allow conclusions to be drawn about how to reduce the attack surface, for example. One important finding: the attackers (still) are primarily concerned with money. Break-ins usually succeed due to negligence on the part of the user. And the time to a successful attack is very short.

The burglars installed software for mining cryptocurrencies on 86 percent of the infiltrated cloud instances. On other occasions, the analysts observed that the intruders had YouTube clips called up in order to use them to increase the ad counters and to achieve greater revenues and reach.

The attackers were able to break into the cloud machines in around half of the cases due to weak or non-existent passwords for user accounts or APIs that were used without authentication. More than a quarter of the break-ins were achieved through security holes in third-party software that users had installed themselves. Incorrect configurations in the cloud instance or in third-party software were the cause of another eighth of the cases.

The shortest observed period between an instance being brought online and being compromised was just 30 minutes. 40 percent of the systems analyzed were adopted in less than eight hours. The public IP range is permanently scanned for vulnerable services, the security researchers conclude: Finding a vulnerable cloud instance is a question of when, not whether.

If a system was successfully attacked, most of the installation of the crypto miners took place in less than 30 seconds. This points to automated scripts for attack and subsequent installation, for which no human interaction is required. Manual interventions to prevent such an attack are almost impossible.

In your The Google experts explain the security report “Threat Horizon” Countermeasures that cloud users can use to protect themselves. First and foremost is the implementation of so-called best practices: The use of strong passwords, bringing third-party software up to date and, for example, not publishing the access data on Github – the latter apparently happened in 4 percent of the cases examined.

Other ways to improve security include using service accounts to authenticate apps instead of access data for user accounts. The use of Policy Intelligence Tools can also help to configure the lowest possible rights for services and applications and thus contain the consequences of break-ins from the outset.

What is remarkable about Google’s practical report is that it confirms the results that Palo Alto’s Unit42, for example, recently obtained with numerous honeypots online. In the scenario simulated there, weak passwords also led to rapid intrusions into the virtual machines. The fact that these are cracked in minutes in the case of vulnerable services or insecure access data is actually often found in reality.


Article Source