Google's Cybersecurity Action Team has released its first "threat horizon" report on the scary things it's found on the internet.
The advertising giant launched the Team in October 2021, when execs said its ambition was to become "the world's premier security advisory team" and dispense advice that will improve cyber resilience for all.
The Team's first report offers six nuggets of intelligence, and The Register believes none will surprise readers.
One describes a North Korean government-backed attacker group that has moved on from trying to attack security researchers and now poses as recruitment consultants from Samsung. The group targets workers at South Korean anti-malware devs and sends them poisoned PDFs that, if clicked, drop an executable that allows limited remote control of a victim PC.
The report says it's a significant attack because sites like LinkedIn let crims target email-borne attacks, while PDF readers remain a fine way to compromise systems.
Thanks for the intelligence from 2010, Google – spear phishing is not new!
Google did offer a more novel phishing finding, in the news that Russia's Fancy Bear crime gang has tried to reuse code it deployed in an attack on Yahoo! mail to attack Gmail. Fancy Bear's lazy graphic designers couldn't match Google's CSS, so the login pages sent to targets looked a little bit off. Google has warned us all to watch out for that sort of thing.
Another flash of insight from the report advises that analysis of 50 recently hijacked Google Cloud instances revealed 86 per cent were put to work mining cryptocurrency. Crims got in because, in 48 per cent of cases, operators didn't have a password, had a weak password, or didn't bother authenticating APIs.
- A bug introduced 6 months ago brought Google's Cloud Load Balancer to its knees
- Google denies Gmail users an early start to the weekend after problems accessing service
- JEDI mind tricks: Google said Pentagon contract didn't align with company values. Now it's chasing another defence gig
"Google Cloud customers who stand up non-secure Cloud instances will likely be detected and attacked in a relatively short period of time," the Team warns.
Thanks, Google! We're not sure Reg readers could have figured out that authentication and security are good ideas all on their own. A look at the very nasty BlackMatter ransomware is accompanied by the following piercing analysis:
The presence of BlackMatter ransomware on a network is an indication that a network has been compromised through another means.
Which clears things up nicely. We thought ransomware was brought by a stork.
The Team also spotted abuse of the free tier of Google's cloud to generate bogus YouTube traffic – another attack your correspondent fancies readers may have encountered before.
The Register will leave it to you, dear reader, to determine whether or (cough) not (cough) the document meets Google's aim of delivering "the world's best security advice".
Perhaps future reports, which are promised to offer "Early Warning announcements about emerging threats requiring immediate action" will prove a little more exciting. ®