Google’s Cybersecurity Action Team has released a Threat Horizons report focusing on cloud security. It’s taken some criticism for being surprisingly straightforward and less complex than you may expect. On the other hand, many businesses simply don’t understand many of the threats at large. Perhaps this is a way of easing the people the report is aimed at into the wider discussion.
At any rate, the report is out and I think it’s worth digging into. They may be taking the “gently does it” approach because so many of their customers are falling foul to bad things. It makes sense to keep it simple in an effort to have people pay attention and nail the basics first. After all, if they can't do that then complex rundowns stand no chance.
Key features of the report
The executive summary lists a number of key points. There's a strong focus on issues and concerns for people using Google services. For example:
“Of 50 recently compromised GCP instances, 86% of the compromised cloud instances were used to perform cryptocurrency mining, a cloud resource-intensive, for profit activity. Additionally, 10% of compromised cloud instances were used to conduct scans of other publicly available resources on the internet to identify vulnerable systems, and 8% of instances were used to attack other targets”.
In case you’re wondering, GCP means Google Cloud Platform.
Elsewhere, the summary mentions Google cloud resources were used to generate bogus YouTube view counts. This sounds interesting, and would probably be useful to know more about it. Unfortunately there are no details in the summary, and the full report doesn’t go into the nitty-gritty of what happened either. Given this one is a clear and easily understandable way to explain how [bad thing in cloud] equals [bad knock-on effect for service everyone you know uses], it seems strange to keep us guessing.
Google also references the Fancy Bear/APT28 Gmail phishing attack, which we covered last month. While this isn’t exactly a common concern for most people, it is good to reiterate the usefulness of multiple Google security settings. 2FA, apps, backup codes, and advanced security settings are always better to have up and running than not at all.
It’s not just Google services up for discussion…
The report also briefly branches out into other realms of concern. Bogus job descriptions posing as Samsung PDFs were deliberately malformed, leading to follow up messages containing malware lurking at the links provided by the sender.
This campaign is apparently from a North Korean government-backed group, which previously targeted security researchers. There’s also a lengthy rundown of Black Matter ransomware, and (again) various tips for Google specific cloud products in terms of keeping the Black Matter threat at arm’s length.
The full report is a PDF weighing in at 28 pages long. Yes, it’s a bit light on details. However, it’s quite possible to send people running for the hills with 80+ pages of heavy-duty security information. If people are making rudimentary mistakes, why not make a gesture of highlighting said mistakes?
Simply does it
As we heard in our recent Lock and Code episode, the basics are no laughing matter. Many organisations don’t have the time, money, or resources available. They're unable to tackle what some would consider to be incredibly obvious issues. There’s plenty of detailed security information out there already on multiple Google pages. Maybe it's possible that this back to basics approach will pay off in the long run.
If Google's main concern seems to mostly be “script kiddy with a cryptominer”? Then a script kiddy with a cryptominer focus we shall have. For now, we’ll just have to wait and see what kind of uptake this new approach receives and go from there.