Best practices for protecting against cryptocurrency mining attacks

Last reviewed 2023-10-20 UTC

Cryptocurrency mining (also known as bitcoin mining) is the process used to create new cryptocoins and verify transactions. Crytocurrency mining attacks occurs when attackers who gain access to your environment might also exploit your resources to run their own mining operations at your expense.

According to the November 2021 Threat Horizons report, cryptocurrency mining attacks are the most common way that attackers exploit your computing resources after they compromise your Google Cloud environment. The report also says that attackers typically download cryptocurrency mining software to your resources within 22 seconds of compromising your system. Cryptocurrency mining can rapidly increase costs, and a cryptocurrency mining attack can cause a much larger bill than you expected. Because costs can add quickly, you must put in place protective, detective, and mitigation measures to protect your organization.

This document is intended for security architects and administrators. It describes the best practices that you can take to help protect your Google Cloud resources from cryptocurrency mining attacks and to help mitigate the impact should an attack occur.

For information about how to respond to cryptocurrency alerting, see Respond to abuse notifications and warnings.

Identify your threat vectors

To determine your organization's exposure to cryptocurrency mining attacks, you must identify the threat vectors that apply to your organization.

The November 2021 Threat Horizons report indicates that most attackers exploit vulnerabilities such as the following:

  • Weak password or no password for user accounts
  • Weak or no authentication for Google Cloud APIs
  • Vulnerabilities in third-party software
  • Misconfigurations in your Google Cloud environment or in third-party applications that you're running on Google Cloud
  • Leaked credentials, such as service account keys published in public GitHub repositories

In addition, you can subscribe to and review the following documents for a list of threat vectors:

After you identify the threat vectors that apply to you, you can use the remaining best practices in this document to help address them.

Protect accounts and account credentials

Attackers can exploit unguarded or mismanaged accounts to gain access to your Compute Engine resources. Google Cloud includes different options that you can configure to manage accounts and groups.

Restrict access to your cloud environment

The following table describes the organizational policies that you can use to define who can access your cloud environment.

Organization policy constraint Description
Domain restricted sharing Specify which customer IDs for Cloud Identity or Google Workspace are valid.
Allowed AWS accounts that can be configured for workload identity federation in Cloud IAM In a hybrid cloud environment, define which AWS accounts can use workload identify federation.
Allowed external identity providers for workloads In a hybrid cloud environment, define which identity providers your workloads can use.

Set up MFA or 2FA

Cloud Identity supports multi-factor authentication (MFA) using various methods. Configure MFA, particularly for your privileged accounts. For more information, see Enforce uniform MFA to company-owned resources.

To help prevent phishing attacks that can lead to cryptocurrency mining attacks, use Titan Security Keys for two-factor authentication (2FA).

Configure least privilege

Least privilege ensures that users and services only have the access that they require to perform their specific tasks. Least privilege slows down the ability of attacks to spread throughout an organization because an attacker can't easily escalate their privileges.

To meet your organization's needs, use the fine-grained policies, roles, and permissions in Identity and Access Management (IAM). In addition, analyze your permissions regularly using role recommender and Policy Analyzer. Role recommender uses machine learning to analyze your settings and provide recommendations to help ensure that your role settings adhere to the principle of least privilege. Policy Analyzer lets you see which accounts have access to your cloud resources.

Monitor accounts

If you use groups to assign IAM policies, monitor the group logs to ensure that non-corporate accounts aren't added. In addition, restrict the identities, based on Cloud Identity or Google Workspace domains, that can access your resources. For more information, see Restricting identities by domain.

Ensure that your offboarding procedures include processes to deactivate accounts and reset permissions when employees leave your organization or change roles. For more information, see Revoking Access to Google Cloud.

To audit your users and groups, see Audit logs for Google Workspace.

Reduce internet exposure to your Compute Engine and GKE resources

Reducing internet exposure means that your attackers have fewer opportunities to find and exploit vulnerabilities. This section describes the best practices that help protect your Compute Engine VMs and your Google Kubernetes Engine (GKE) clusters from internet exposure.

Restrict external traffic

Do not assign external IP addresses to your VMs. You can use the Disable VPC External IPv6 usage organization policy constraint to deny external IP addresses to all VMs. To view which VMs have publicly accessible IP addresses, see View the network configuration for an instance. If your architecture requires external IP addresses for your VMs, use the Define allowed external IPs for VM instances organization policy, which lets you define a list of instance names that are permitted to have external IP addresses.

Restrict GKE nodes to internal IP addresses only. For more information, see Creating a private cluster.

Restrict inbound (ingress) and outbound (egress) traffic to the internet for all resources in your projects. For more information, see VPC firewall rules and Hierarchical firewall policies.

For more information about restricting external traffic, such as configuring Cloud NAT to allow outgoing communications for VMs without external IP address or using a proxy load balancer for incoming communications, see Securely connecting to VM instances.

Use service perimeters

Create a service perimeter for your Compute Engine and GKE resources using VPC Service Controls. VPC Service Controls lets you control communications to your Compute Engine resources from outside of the perimeter. Service perimeters allow free communication within the perimeter, block data exfiltration, and block service communication from outside the perimeter. Use context-aware access attributes like IP addresses and users' identities to further control access to Google Cloud services from the internet.

Set up zero trust security

Set up zero trust security with Chrome Enterprise Premium. Chrome Enterprise Premium provides threat and data protection and access controls. If your workloads are located both on-premises and in Google Cloud, configure Identity-Aware Proxy (IAP). Configure TCP forwarding to control who can access administrative services like SSH and RDP on your Google Cloud resources from the public internet. TCP forwarding prevents these services from being openly exposed to the internet.

Secure your Compute Engine and GKE resources

Cryptocurrency mining requires access to your Compute Engine and GKE resources. This section describes the best practices that will help you secure your Compute Engine and GKE resources.

Secure your VM images

Use hardened and curated VM images by configuring Shielded VM. Shielded VM is designed to prevent malicious code such as kernel-level malware or rootkits from being loaded during the boot cycle. Shielded VM provides boot security, monitors integrity, and uses the Virtual Trusted Platform Module (vTPM).

To restrict which images can be deployed, you can implement trusted image policies. The Define trusted image projects organization policy defines which projects can store images and persistent disks. Ensure that only trusted and maintained images exist in those projects.

In GKE, ensure that your containers use base images, which are regularly updated with security patches. Also, consider distroless container images that include only your application and its runtime dependencies.

Secure SSH access to VMs

Configure OS Login to manage SSH access to the VMs running in Compute Engine. OS Login simplifies SSH access management by linking your administrator's Linux user account to their Google identity. OS Login works with IAM so that you can define the privileges that administrators have.

For more information, see Protect VMs and containers.

Restrict service accounts

A service account is a Google Cloud account that workloads use to call the Google API of a service.

Do not permit Google Cloud to assign default service account roles to resources when they are created. For more information, see Restricting service account usage.

If your applications are running outside of Google Cloud, and yet require access to Google Cloud resources, do not use service account keys. Instead, implement workload identity federation to manage external identities and the permissions that you associate with them. For GKE, you can implement workload identities. For more information, see Choose the right authentication method for your use case.

For more best practices that help secure service accounts, see Best practices for working with service accounts.

Monitor usage of service accounts and service account keys

Set up monitoring so that you can track how service accounts and service account keys are being used in your organization. To get visibility into notable usage patterns, use service account insights. For example, you can use service account insights to track how permissions are used in your projects and to identify unused service accounts. To see when your service accounts and keys were last used to call a Google API for authentication activities, view recent usage for service accounts and service account keys.

Monitor and patch VMs and containers

To start a cryptocurrency mining attack, attackers often exploit misconfigurations and software vulnerabilities to gain access to Compute Engine and GKE resources.

To obtain insight into the vulnerabilities and misconfigurations that apply to your environment, use Security Health Analytics to scan your resources. In particular, if you use Security Command Center Premium, review any Compute Engine instance findings and Container findings and set up processes to resolve them quickly.

Use Artifact Analysis to check for vulnerabilities in the container images that you store in Artifact Registry or Container Registry.

Ensure that your organization can deploy patches as soon as they are available. You can use OS patch management for Compute Engine. Google automatically patches vulnerabilities in GKE. For more information, see Keep your images and clusters up to date.

Protect your applications using a WAF

Attackers can try to access your network by finding Layer 7 vulnerabilities within your deployed applications. To help mitigate against these attacks, configure Google Cloud Armor, which is a web application firewall (WAF) that uses Layer 7 filtering and security policies. Google Cloud Armor provides denial of service (DoS) and WAF protection for applications and services hosted on Google Cloud, on your premises, or on other clouds.

Google Cloud Armor includes a WAF rule to help address Apache Log4j vulnerabilities. Attackers can use Log4j vulnerabilities to introduce malware that can perform unauthorized cryptocurrency mining. For more information, see Google Cloud Armor WAF rule to help address Apache Log4j vulnerability.

Secure your supply chain

Continuous integration and continuous delivery (CI/CD) provides a mechanism for getting your latest functionality to your customers quickly. To help prevent cryptocurrency mining attacks against your pipeline, perform code analysis and monitor your pipeline for malicious attacks.

Implement Binary Authorization to ensure that all images are signed by trusted authorities during the development process and then enforce signature validation when you deploy the images.

Move security checks to as early in the CI/CD process as possible (sometimes referred to as shifting left). For more information, see Shifting left on security: Securing software supply chains. For information on setting up a secure supply chain with GKE, see Software supply chain security.

Manage secrets and keys

A key attack vector for unauthorized cryptocurrency mining attacks is insecure or leaked secrets. This section describes the best practices that you can use to help protect your secrets and encryption keys.

Rotate encryption keys regularly

Ensure that all encryption keys are rotated regularly. If Cloud KMS manages your encryption keys, you can rotate your encryption keys automatically.

If you use service accounts that have Google-owned and Google-managed encryption keys, the keys are also automatically rotated.

Avoid downloading secrets

Exposed secrets are a key attack vector for attackers. If at all possible, do not download encryption keys or other secrets, including service account keys. If you must download keys, ensure that your organization has a key rotation process in place.

If you are using GitHub or other public repository, you must avoid leaking credentials. Implement tools such as secret scanning, which warns you about exposed secrets in your GitHub repositories. To stop keys from being committed to your GitHub repositories, consider using tools such as git-secrets.

Use secret management solutions such as Secret Manager and Hashicorp Vault to store your secrets, rotate them regularly, and apply least privilege.

Detect anomalous activity

To monitor for anomalous activity, configure Google Cloud and third-party monitoring tools and set up alerts. For example, configure alerts based on administrator activity in Compute Engine audit logging information and GKE audit logs.

In addition, use Event Threat Detection in Security Command Center to identify threats that are based on administrator activities, Google Groups changes, and IAM permission changes. Use Virtual Machine Threat Detection in Security Command Center to identify threats related to your Compute Engine VMs. For more information about Security Command Center services, see Security Command Center service tiers.

To help detect network-based threats such as malware, configure Cloud IDS.

Participate in the Security Command Center Cryptomining Protection Program

If you are a Security Command Center Premium customer and use Compute Engine, you can participate in the Security Command Center Cryptomining Protection Program. This program lets you defray the Compute Engine VM costs related to undetected and unauthorized cryptomining attacks in your Compute Engine VM environment. You must implement the cryptomining detection best practices, some of which overlap with the other best practices that are described on this page.

Update your incident response plan

Ensure that your incident response plan and your playbooks provide prescriptive guidance for how your organization will respond to cryptocurrency mining attacks. For example, ensure that your plan includes the following:

  • How to file a support case with Cloud Customer Care and contact your Google technical account manager (TAM). If you do not have a support account, review the available support plans and create one.
  • How to tell the difference between legitimate high performance computing (HPC) workloads and cryptocurrency mining attacks. For example, you can tag which projects have HPC enabled, and set up alerts for unexpected cost increases.
  • How to deal with compromised Google Cloud credentials.
  • How to quarantine infected systems and restore from healthy backups.
  • Who in your organization must be notified to investigate and respond to the attack.
  • What information needs to be logged for your retrospective activities.
  • How to verify that your remediation activities effectively removed the mining activities and addressed the initial vulnerability that led to the attack.
  • How to respond to an alert sent from Cloud Customer Care. For more information, see Policy violations FAQ.

For more information, see Respond to and recover from attacks.

Implement a disaster recovery plan

To prepare for a cryptocurrency mining attack, complete business continuity and disaster recovery plans, create an incident response playbook, and perform tabletop exercises.

If unauthorized cryptocurrency mining occurs, ensure that you can address the threat vector that caused the initial breach and that you can reconstruct your environment from a known good state. Your disaster recovery plan must provide for the ability to determine what a known good state is so that the attacker can't repeatedly use the same vulnerabilities to exploit your resources.

What's next