Google warns companies about keeping hackers out of cloud infrastructure
Malicious hackers are increasingly trying to infiltrate cloud infrastructure to pull off a wide range of cyberattacks, and Google Cloud urges companies to remain vigilant to protect their customers, the company said in a report released Thursday.
“I think over the next few years we’re going to see the threat landscape change significantly, with more people adopting cloud, with AI large language models, and with mobile being so dependent on cloud as well,” said Matt Shelton, head of threat research and analysis at Google Cloud.
One of the growing threats the report warns about is a spate of source code hacks and leaks. The most common causes of source code leaks are credential or token compromise, third-party compromise, misconfiguration and insider threats, researchers note. In some cases, hackers are attacking pipelines that allow companies to push software updates from the cloud.
“Financially motivated actors regularly attempt to monetize source code through extortion or by offering it for sale in underground forums,” according to the report. Recent underground forum advertisements found by Mandiant boasted selling code for admin access to a Canadian point-of-sale software provider and source code and backups and PII allegedly stolen from a Chinese technology company.
Google Cloud researchers note that companies need to worry about hackers using their cloud environments to launch attacks, not just to attack a company from within. “Google has done a lot of work to make sure that we protect both users in the cloud who are our customers and who are victims, but we also put a lot of work into making sure our cloud isn’t used as a mechanism to target other users,” said Shelton.
For instance, the Thursday report warned that researchers had found 13 customer domains and one IP hosted on Google Cloud that were compromised earlier this year to allow for the download of malicious files.
Researchers at Google have also found some apps skirting Google Play security rules to upload malicious updates to apps, according to a new report Thursday.
The malicious actors are able to circumvent the security controls by uploading a non-malicious version of the app and then updating it later with code that enables malicious activity. That security update is stored not on the Google Play store but on the attacker’s infrastructure.
One popular variant researchers found was a malware called SharkBot, a banking malware with initiates money transfers from an infected device through credential harvesting or other manipulation. While actors appear to be financially motivated there have been some cases of nation-state actors using the technique, according to Matt Shelton.
The report also raises concerns about the growing number of attacks against the telecommunications industry, noting sustained attacks from China-backed groups focused on Taiwan, the Philippines and Malaysia.
“Critical telecom infrastructure such as wireless and satellite communications may face state-sponsored cyber threats,” the report notes. “Officials worldwide have expressed concern that Chinese state control over 5G telecom vendors could allow for Chinese state influence over data flows, which has resulted in equipment bans in North America, Europe, and Asia.”
Google isn’t the only party concerned about cloud security. Both European and U.S. officials have called for greater security requirements for cloud providers.
