Google Cloud adds cryptomining protection following widespread exploitation

Connor Jones

8 Feb, 2022

Google Cloud has launched a new threat detection solution for Google Cloud Platform (GCP) specifically designed to tackle the mounting cases of cryptomining malware operating through compromised cloud instances.

Google Cloud said the Virtual Machine Threat Detection (VMTD) is a first-to-market solution from a major cloud provider, now available in public preview as an added security layer within Security Command Center (SCC) Premium.

Virtual machine-based computing accounts for a significant portion of businesses’ operations running in the cloud and according to a November 2021 threat intelligence report from Google Cloud, cryptomining activity was observed in 86% of all compromised GCP instances, making it the leading issue affecting Google Cloud customers.

The time it took for attackers to install this financially-motivated malware was quick, too, with more than half of cases (58%) seeing malware installed within just 22 seconds of compromising the platform.

Google Cloud said in most cases, this was due to exploitation of poor customer security practices or vulnerable third-party software. Leveraging the power of cloud computing can improve the efficiency of cryptomining malware due to its scalable nature, potentially raising monthly cloud bills for businesses by a large sum.

“The economy of scale enabled by the cloud can help fundamentally change the way security is executed for any business operating in today’s threat landscape,” said Timothy Peacock, product manager at Google Cloud. “As more companies adopt cloud technologies, security solutions built into cloud platforms help address emerging threats for more and more organisations.

“VMTD is one of the ways we protect our Google Cloud Platform customers against growing attacks like coin mining, data exfiltration, and ransomware,” he added.

Now available in public preview, VMTD detects cryptomining attacks but as it moves closer towards general availability, Google Cloud said customers can expect to see a steady release of new detective capabilities that will integrate with other parts of GCP.

Google Cloud said VMTD complements the existing threat detection capabilities supplied by the existing Event Threat Detection and Container Threat Detection products, providing cover for compute while the others services areas like Kubernetes, identity, managed services, networking, and API.

Agentless approach

Google Cloud’s VMTD provides memory scanning for customers on an agentless basis, which means GCP users can expect a smaller performance impact, lowered operational burden, and a less-exposed attack surface.

This is unlike a traditional endpoint security model which involves running additional software inside virtual machines to gather signals and telemetry. Instead, Google Cloud said it ‘instruments the hypervisor’ – the underlying software that “orchestrates” its virtual machines – to include threat detection that’s difficult to tamper with.