Last reviewed 2022-04-08 UTC
Cryptocurrency mining (also known as bitcoin mining) is the process used tocreate new cryptocoins and verify transactions.Crytocurrency mining attacks occurs when attackers who gain access to your environment might also exploityour resources to run their own mining operations at your expense.
According to theNovember 2021 Threat Horizons report,cryptocurrency mining attacks are the most common way that attackers exploityour computing resources after they compromise your Google Cloudenvironment. The report also says that attackers typically downloadcryptocurrency mining software to your resources within 22 seconds ofcompromising your system. Cryptocurrency mining can rapidly increase costs, anda cryptocurrency mining attack can cause a much larger bill than you expected.Because costs can add quickly, you must put in place protective, detective, andmitigation measures to protect your organization.
This document is intended for security architects and administrators. Itdescribes the best practices that you can take to help protect yourGoogle Cloud resources from cryptocurrency mining attacks and to helpmitigate the impact should an attack occur.
Identify your threat vectors
To determine your organization's exposure to cryptocurrency mining attacks, youmust identify the threat vectors that apply to your organization.
The November 2021 Threat Horizons report indicates that most attackers exploitvulnerabilities such as the following:
- Weak password or no password for user accounts
- Weak or noauthentication for Google Cloud APIs
- Vulnerabilities in third-party software
- Misconfigurations in your Google Cloud environment or inthird-party applications that you're running on Google Cloud
- Leaked credentials, such as service account keys published in publicGitHub repositories
In addition, you can subscribe to and review the following documents for a listof threat vectors:
- Your government's cybersecurity advisories
- Google Cloud security bulletins
- Compute Engine security bulletins
- The security bulletins for the third-party applications that you arerunning in Google Cloud
After you identify the threat vectors that apply to you, you can use theremaining best practices in this document to help address them.
Protect accounts and account credentials
Attackers can exploit unguarded or mismanaged accounts to gain access to yourCompute Engine resources. Google Cloud includes different optionsthatyou can configure to manage accounts and groups.
Restrict access to your cloud environment
The following table describes the organizational policies that you can use todefine who can access your cloud environment.
| Organization policy constraint | Description |
|---|---|
| Domain restricted sharing | Specify which customer IDs for Cloud Identityor Google Workspace are valid. |
| Allowed AWS accounts that can be configured for workloadidentity federation in Cloud IAM | In a hybrid cloud environment, define which AWS accounts can useworkload identify federation. |
| Allowed external identity providers forworkloads | In a hybrid cloud environment, define which identity providers yourworkloads can use. |
Set up MFA or 2FA
Cloud Identity supports multi-factor authentication (MFA) using various methods. Configure MFA,particularly for your privileged accounts. For more information, seeEnforce uniform MFA to company-owned resources.
To help prevent phishing attacks that can lead to cryptocurrency miningattacks, useTitan Security Keys for two-factor authentication (2FA).
Configure least privilege
Least privilege ensures that users and services only have the access that theyrequire to perform their specific tasks. Least privilege slows down the abilityof attacks to spread throughout an organization because an attacker can't easilyescalate their privileges.
To meet your organization's needs, use the fine-grained policies, roles, andpermissions inIdentity and Access Management (IAM).In addition, analyze your permissions regularly usingrole recommender andPolicy Analyzer.Role recommender uses machine learning to analyze your settings and providerecommendations to help ensure that your role settings adhere to the principleof least privilege. Policy Analyzer lets you see which accounts haveaccess to your cloud resources.
Monitor accounts
If you use groups to assign IAM policies,monitor the group logs to ensure that non-corporate accounts aren't added. In addition, restrict theidentities, based on Cloud Identity or Google Workspace domains,that can access your resources. For more information, seeRestricting identities by domain.
Ensure that your offboarding procedures include processes to deactivateaccounts and reset permissions when employees leave your organization or changeroles. For more information, seeRevoking Access to Google Cloud.
To audit your users and groups, seeAudit logs for Google Workspace.
Reduce internet exposure to your Compute Engine and GKE resources
Reducing internet exposure means that your attackers have fewer opportunitiesto find and exploit vulnerabilities. This section describes the best practicesthat help protect your Compute Engine VMs and yourGoogle Kubernetes Engine (GKE) clusters from internet exposure.
Restrict external traffic
Do not assignexternal IP addresses to your VMs. You can use the Disable VPC External IPv6 usageorganization policy constraint to deny external IPaddresses to all VMs. To view which VMs have publicly accessible IP addresses,seeLocating IP addresses for an instance. If your architecture requires external IP addresses for your VMs, use the Define allowed external IPs for VM instances organization policy, which lets you define a list of instance names that are permitted to have external IP addresses.
Restrict GKE nodes to internal IP addresses only. For moreinformation, seeCreating a private cluster.
Restrict inbound (ingress) and outbound (egress) traffic to the internet forall resources in your projects. For more information, seeVPC firewall rules andHierarchical firewall policies.
For more information about restricting external traffic, such as configuringCloud NAT to allow outgoing communications for VMs without external IPaddress or using a proxy load balancer for incoming communications, seeSecurely connecting to VM instances.
Use service perimeters
Create aservice perimeter for your Compute Engine and GKE resources usingVPC Service Controls.VPC Service Controls lets you control communications to yourCompute Engine resources from outside of the perimeter. Serviceperimeters allow free communication within the perimeter, block data exfiltration, and block servicecommunication from outside the perimeter. Usecontext-aware access attributes like IP addresses and users' identities to further control access toGoogle Cloud services from the internet.
Set up zero trust security
Set up zero trust security withBeyondCorp Enterprise.BeyondCorp Enterprise providesthreat and data protection andaccess controls.If your workloads are located both on-premises and in Google Cloud,configure Identity-Aware Proxy (IAP). ConfigureTCP forwarding to control who can access administrative services like SSH and RDP on yourGoogle Cloud resources from the public internet. TCP forwarding preventsthese services from being openly exposed to the internet.
Secure your Compute Engine and GKE resources
Cryptocurrency mining requires access to your Compute Engine andGKE resources. This section describes the best practicesthat will help you secure your Compute Engine andGKE resources.
Secure your VM images
Use hardened and curated VM images by configuringShielded VM.Shielded VM is designed to prevent malicious code such as kernel-levelmalware or rootkits from being loaded during the boot cycle.Shielded VM provides boot security, monitors integrity, and uses theVirtual Trusted Platform Module (vTPM).
To restrict which images can be deployed, you can implementtrusted image policies.The Define trusted image projects organization policy defines which projectscan store images and persistent disks. Ensure that only trusted and maintainedimages exist in those projects.
In GKE, ensure that your containers usebase images,which are regularly updated with security patches. Also, considerdistroless container images that include only your application and its runtime dependencies.
Secure SSH access to VMs
ConfigureOS Login to manage SSH access to the VMs running in Compute Engine. OS Loginsimplifies SSH access management by linking your administrator's Linux useraccount to their Google identity. OS Login works with IAM so thatyou can define the privileges that administrators have.
For more information, seeProtect VMs and containers.
Restrict service accounts
Aservice account is a Google Cloud account that workloads use tocall the Google API of a service.
Do not permit Google Cloud to assign default service account roles to resources when they are created. For more information, seeRestricting service account usage.
If your applications are running outside of Google Cloud, and yet requireaccess to Google Cloud resources, do not use service account keys.Instead, implementworkload identity federation to manage external identities and the permissions that you associate with them.For GKE, you can implementworkload identities.For more information, seeAlternatives to service accounts.
For more best practices that help secure service accounts, seeBest practices for working with service accounts.
Monitor usage of service accounts and service account keys
Set up monitoring so that you can track how service accounts and service account keys are beingused in your organization. To get visibility into notable usage patterns, useservice account insights.For example, you can use service account insights to track how permissions areused in your projects and to identify unused service accounts. To see when yourservice accounts and keys were last used to call a Google API for authenticationactivities,view recent usage for service accounts and service account keys.
Monitor and patch VMs and containers
To start a cryptocurrency mining attack, attackers often exploitmisconfigurations and software vulnerabilities to gain access toCompute Engine and GKE resources.
To obtain insight into the vulnerabilities and misconfigurations that apply toyour environment, useSecurity Health Analytics to scan your resources. In particular, if you use Security Command Center Premium, reviewanyCompute Engine instance findings andContainer findings and set up processes to resolve them quickly.
UseContainer Analysis to check for vulnerabilities in the container images that you store inArtifact Registry or Container Registry.
Ensure that your organization can deploy patches as soon as they are available.You can useOS patch management for Compute Engine. Google automaticallypatches vulnerabilities in GKE. For more information, seeKeep your images and clusters up to date.
Protect your applications using a WAF
Attackers can try to access your network by findingLayer 7 vulnerabilities within your deployed applications. To help mitigate againstthese attacks, configureGoogle Cloud Armor,which is a web application firewall (WAF) that uses Layer 7 filtering andsecurity policies. Google Cloud Armor provides denial of service (DoS) and WAFprotection for applications and services hosted on Google Cloud, on yourpremises, or on other clouds.
Google Cloud Armor includes a WAF rule to help address Apache Log4j vulnerabilities. Attackers can use Log4j vulnerabilities to introduce malware that can performunauthorized cryptocurrency mining. For more information,seeGoogle Cloud Armor WAF rule to help address Apache Log4j vulnerability.
Secure your supply chain
Continuous integration and continuous delivery (CI/CD) provides a mechanism forgetting your latest functionality to your customers quickly. To help preventcryptocurrency mining attacks against your pipeline, perform code analysis andmonitor your pipeline for malicious attacks.
ImplementBinary Authorization to ensure that all images are signed by trusted authorities during thedevelopment process and then enforce signature validation when you deploy theimages.
Move security checks to as early in the CI/CD process as possible (sometimesreferred to as shifting left). For more information, seeShifting left on security: Securing software supply chains.For information on setting up a secure supply chain withGKE, seeHelp secure software supply chains on Google Kubernetes Engine.
Manage secrets and keys
A key attack vector for unauthorized cryptocurrency mining attacks is insecureor leaked secrets. This section describes the best practices that you can use tohelp protect your secrets and encryption keys.
Rotate encryption keys regularly
Ensure that all encryption keys are rotated regularly. If Cloud KMSmanages your encryption keys, you canrotate your encryption keys automatically.
If you use service accounts that have Google-managed key pairs, the keys arealso automatically rotated.
Avoid downloading secrets
Exposed secrets are a key attack vector for attackers. If at all possible, donot download encryption keys or other secrets, including service account keys.If you must download keys, ensure that your organization has a key rotationprocess in place.
If you are using GitHub or other public repository, you must avoid leakingcredentials. Implement tools such assecret scanning,which warns you about exposed secrets in your GitHub repositories. To stop keysfrom being committed to your GitHub repositories, consider using tools such asgit-secrets.
Use secret management solutions such asSecret Manager andHashicorp Vault to store your secrets, rotate them regularly, and apply least privilege.
Detect anomalous activity
To monitor for anomalous activity, configure Google Cloud and third-partymonitoring tools and set up alerts. For example, configure alerts based onadministrator activity inCompute Engine audit logging information andGKE audit logs.
In addition, useEvent Threat Detection in the Security Command Center to identify threats that are based on administratoractivities, Google Groups changes, and IAM permission changes.
To help detect network-based threats such as malware, configureCloud IDS.
Update your incident response plan
Ensure that your incident response plan and your playbooks provide prescriptiveguidance for how your organization will respond to cryptocurrency mining attacks. Forexample, ensure that your plan includes the following:
- How to file asupport case with Cloud Customer Care and contact yourGoogle technical account manager (TAM).If you do not have a support account, review the availablesupport plans and create one.
- How to tell the difference between legitimatehigh performance computing (HPC) workloads and cryptocurrency mining attacks. For example, you can tag whichprojects have HPC enabled, and set up alerts for unexpected cost increases.
- How to deal withcompromised Google Cloud credentials.
- How to quarantine infected systems and restore from healthy backups.
- Who in your organization must be notified to investigate and respond tothe attack.
- What information needs to be logged for your retrospective activities.
- How to verify that your remediation activities effectively removed themining activities and addressed the initial vulnerability that led to theattack.
- How to respond to an alert sent from Cloud Customer Care. For moreinformation, seePolicy violations FAQ.
For more information, seeRespond to and recover from attacks.
Implement a disaster recovery plan
To prepare for a cryptocurrency mining attack, completebusiness continuity anddisaster recovery plans,create an incident response playbook, and perform tabletop exercises.
If unauthorized cryptocurrency mining occurs, ensure that you can address thethreat vector that caused the initial breach and that you can reconstruct yourenvironment from a known good state. Your disaster recovery plan must providefor the ability to determine what a known good state is so that the attackercan't repeatedly use the same vulnerabilities to exploit your resources.
What's next
- Find more security best practices inGoogle Cloud Architecture Framework: Security, privacy, and compliance.
- Protect against ransomware attacks.
- Deploy a secure baseline in Google Cloud, as described in theGoogle Cloud security foundations blueprint.
