Google’s Cybersecurity Action Team Threat Horizons Report #4 is out!


This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our fourth report on threat horizons (full version) that we just published (the official blog for report #1, my unofficial blog for #2, my unofficial blog for #3).

My favorite quotes from the report are:

  • “in the second quarter, threat actors are frequently targeted weak and default password issues for an initial compromise, taking into account more than half of the identified incidents. [A.C. — that is not ‘Q2 of 1998’, that is 2022! Especially the ‘no credentials’ part, which to me smells like the 1980s, not even the 1990s]
TH #4 Cloud Compromise Factors — Google Cloud
  • “Once inside, threat actors frequently engaged in cryptomining, which represents nearly two-thirds of incidents (65%). and “cryptominer attacks are often partially or fully automated, which significantly reduces their time to exploit an available vulnerability.
  • “The high level of SSH activity suggests that organizations use no credentials or default credentials when creating cloud instances. » [A.C. — somebody from the IR firm whose name starts with ‘M’ told me the other week that ‘in the cloud, they still have the mid-2000s in regards to some security practices’ and this is a great, if sad, example of that!]
  • “Checks fail to identify the nefarious nature of malicious assets because they check the context and external characteristics of assets, instead of exploring their contents in greater depth.” and “10% of known and popular websites distribute malware. The “legitimacy of malware is inherited from credible hosts. ” [A.C. — this to me is a fun reminder that naïve badness ‘blocklists’ fail]
  • There is a lot of signed malware because “attackers often fraudulently accessed signing workflows or signing authorities to sign their code — increase the likelihood of downstream acceptance” [A.C. — the news here is not that they do, but that nasty “o” word — “often”]
  • “Kimsuky, a nation-state threat actor, was observed by Volexity researchers accessing users’ Gmail account data through a hidden Chrome browser extension known as SHARPEXT. The group […] was able to install a malicious browser extension via phishing, taking advantage of pre-authenticated browser activity to read and exfiltrate data from other services such as Gmail content” and “the installation of a developer mode browser extension which, through a DevTools workaround, has its security warnings removed and targets a user’s data accessible in the cloud” [A.C. — this is reasonably notable, and fairly scary too!]
  • …and a helpful reminder here that”increased productivity provided by seamless single sign-on also provides broader access for attackersto otherwise confidential data. [A.C. — ‘login once — get everywhere’ [if done wrong] helps both good and bad actors unless zero trust is equally well done]
  • “they brutally forced the password of the instance and have enrolled their own device in the NGO’s Multi-Factor Authentication (MFA) process[A.C. — another reminder that MFA is not useful if anybody can enroll a malicious device into it]
  • “Threat groups have been observed leveraging compromised service account credentials to run expensive cryptomining workloads in customer environments, but greater concern would arise if they chose to keep these actions secret and leverage the access for other nefarious activities. ” [A.C. — to me, this reminds us that relying on attackers being very noisy for detection is not a great strategy]

Now go read the report!

Related Items:

Google’s Cybersecurity Action Team Threat Horizons Report #4 is out! was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a syndicated blog from the Stories Security Bloggers Network by Anton Chuvakin on Medium written by Anton Chuvakin. Read the original post at: — —2


Comments are closed.