# Threat Horizons

## Cloud Threat Intelligence November 2021. Issue 1


-----

### Providing threat intelligence to those in the Cloud

Part of offering a secure cloud computing platform is providing cloud users with cybersecurity threat
intelligence so they can better configure their environments and defenses in manners most specific to
their needs. Google's Cybersecurity Action Team is pleased to publish the first issue of Threat Horizons
report. The report is based on threat intelligence observations from the Threat Analysis Group (TAG),
Google Cloud Threat Intelligence for Chronicle, Trust and Safety, and other internal teams. It provides
actionable intelligence that enables organizations to ensure their cloud environments are best
protected against ever evolving threats. In this and future threat intelligence reports, Google will
provide threat horizon scanning, trend tracking, and Early Warning announcements about emerging
threats requiring immediate action.

### ___

 Summary of Observations

While cloud customers continue to face a variety of threats across applications and infrastructure,
many successful attacks are due to poor hygiene and a lack of basic control implementation. Most
recently, our team has responded to cryptocurrency mining abuse, phishing campaigns, and
ransomware. Given these specific observations and general threats, organizations that put emphasis
on secure implementation, monitoring and ongoing assurance will be more successful in mitigating
these threats or at the very least reduce their overall impact.

Spear-phishing and phishing campaigns are not new to the threat landscape; TAG observed recent
attacks that targeted Gmail accounts and impersonated employment recruiters with the goal of
stealing user credentials. Attackers also continue to exploit poorly configured Cloud instances with the
goal of obtaining profit through cryptocurrency mining and traffic pumping. The universe of
ransomware also continues to expand with the discovery of some new ransomware that appears to be
offshoots of existing malware with mixed capabilities.
```
01 02 03 04 05 06

```

**Compromised**
**Google Cloud**
**instances used**
**for crypto-**
**currency mining**


**Russia group**
**launched**
**Gmail**
**phishing**
**campaign**


**Fraudsters**
**employ new**
**TTP to abuse**
**Cloud**
**resources**


**North Korea**
**actors**
**impersonate**
**employment**
**recruiters**


**Black Matter**
**ransomware**
**rises out of**
**DarkSide**


**Lessons**
**Learned**


Some poorly
configured GCP
instances are
compromised
quickly and used
for cryptocurrency
mining and other
malicious activity.


Attackers, who
typically
targeted Yahoo!
users, launched
a campaign
against Gmail
accounts.


Fraudsters sought
to abuse Cloud
resources to
generate traffic to
YouTube.


Attackers
impersonated
employment
recruiters in an
attempt to steal
credentials.


Black Matter
ransomware
found to be
formidable;
however, it does
not exfiltrate
data.


As Google Cloud
partners with its
customers in a
shared fate
security model,
some valuable
trends and
lessonslearned emerge.


##### For more information visit gcat google com


-----

While a variety of threats exist, there are a number of ways to mitigate them as well, which includes
[Container Analysis](https://cloud.google.com/container-analysis/docs) [to perform vulnerability scanning and metadata storage for containers and the Web](https://cloud.google.com/security-command-center/docs/concepts-web-security-scanner-overview)
[Security Scanner](https://cloud.google.com/security-command-center/docs/concepts-web-security-scanner-overview) [in the Security Command Center to identify security vulnerabilities. Additionally,](https://cloud.google.com/security-command-center)
Google Cloud customers should [employ two-factor authentication, enroll in the](https://www.google.com/landing/2step/) [Advanced Protection](https://landing.google.com/advancedprotection/)
[Program, whenever possible, and use](https://landing.google.com/advancedprotection/) [Google’s Work Safer, which provides companies with access to](https://workspace.google.com/lp/work-safer/)
best-in-class security for email, meetings, messages, documents, and more. Work Safer brings
together cloud-native, zero-trust solutions of Google Workspace with [BeyondCorp Enterprise.](https://services.google.com/fh/files/misc/bce-protected-profiles-whitepaper.pdf)

### Detailed Observations

##### Compromised GCP instances used for cryptocurrency mining

**Threat Description / TTPs**

Malicious actors were observed performing cryptocurrency mining within compromised Cloud
instances. Of 50 recently compromised GCP instances, 86% of the compromised Google Cloud
**instances were used to perform cryptocurrency mining, a cloud resource-intensive for-profit**
**activity, which typically consumed CPU/GPU resources, or in cases of Chia mining, storage space.**
Additionally, 10% of compromised Cloud instances were used to conduct scans of other publicly
available resources on the Internet to identify vulnerable systems, and 8% of instances were used to
attack other targets. Table 1 lists the outcomes of compromised Google Cloud instances with an
observation that, in some instances, multiple malicious actions were performed from within a single
compromised instance. While data theft did not appear to be the objective of these compromises, it
remains a risk associated with the cloud asset compromises as bad actors start performing multiple
forms of abuse. The public Internet-facing Cloud instances were open to scanning and brute force
attacks.

##### For more information visit gcat google com


-----

Table 1: Compromised GCP instances

Resultant actions after compromise Percentage

Conduct cryptocurrency mining 86%

Conduct port scanning of other targets on the Internet 10%

Launch attacks against other targets on the Internet 8%

Host malware 6%

Host unauthorized content on the Internet 4%

Launch DDoS bot 2%

Send spam 2%

Note: Totals do not add up to 100% as some compromised instances were used to perform multiple
malicious activities.

**Malicious actors gained access to the Google Cloud instances by taking advantage of poor**
**customer security practices or vulnerable third-party software in nearly 75% of all cases. As**
shown in Table 2, 48% of compromised instances were attributed to actors gaining access to the
Internet-facing Cloud instance, which had either no password or a weak password for user accounts or
API connections. As a result, these Google Cloud instances could be easily scanned and brute forced.
26% of compromised instances were attributed to vulnerabilities in third-party software, which was
installed by the owner.

##### For more information visit gcat google com

|Resultant actions afetr compromise|Percentage|
|---|---|
|Conduct cryptocurrency mining|86%|
|Conduct por tscanning of other targets on the Internet|10%|
|Launch atatcks against other targets on the Internet|8%|
|Host malware|6%|
|Host unauthorized content on the Internet|4%|
|Launch DDoS bot|2%|
|Send spam|2%|


-----

Table 2: Exploited vulnerabilities in Cloud instances

Exploited vulnerabilities Percentage

Weak or no password for user account or no authentication for APIs 48%

Vulnerability in third-party software in the Cloud instance was exploited 26%

Other issues 12%

Misconfiguration of Cloud instance or in third-party software 12%

Leaked credentials, e.g., keys published in GitHub projects 4%

Time was of the essence in the compromise of the Google Cloud instances. The shortest amount of
**time between deploying a vulnerable Cloud instance exposed to the Internet and its**
**compromise was determined to be as little as 30 minutes. In 40% of instances the time to**
compromise was under eight hours. This suggests that the public IP address space is routinely
scanned for vulnerable Cloud instances. It will not be a matter of if a vulnerable Cloud instance is
detected, but rather when.

Analysis of the systems used to perform unauthorized cryptocurrency mining, where timeline
information was available, revealed that in 58% of situations the cryptocurrency mining software
**was downloaded to the system within 22 seconds of being compromised as shown in Figure 1.**
This suggests that the initial attacks and subsequent downloads were scripted events not requiring
human intervention. The ability to manually intervene in these situations to prevent exploitation is
nearly impossible. The best defense would be to not deploy a vulnerable system or have automated
response mechanisms.

##### For more information visit gcat google com

|Exploited vulnerabilities|Percentage|
|---|---|
|Weak or no password for user account or no authentication for APIs|48%|
|Vulnerability in third-party software in the Cloud instance was exploited|26%|
|Other issues|12%|
|Misconfgi uration of Cloud instance or in third-party software|12%|
|Leaked credentials, e.g., keys published in GitHub projects|4%|


-----

Figure 1: Time between initial compromise and download of cryptocurrency mining software

**Strategic Significance**

**Google Cloud customers who stand up non-secure Cloud instances will likely be detected and**
**attacked in a relatively short period of time. Given that most instances were used for**
cryptocurrency mining rather than exfiltration of data, Google analysts concluded the Google Cloud IP
address range was scanned rather than particular Google Cloud customers being targeted. The
amount of time from the launch of a vulnerable Google Cloud instance until compromise varied with
the shortest amount of time being under 30 minutes.

**Google Cloud Specific Mitigations**

Aside from the [best practices of ensuring accounts always have strong passwords, updating](https://support.google.com/cloud/answer/6262505)
third-party software prior to a cloud instance being exposed to the web, and not publishing credentials
in GitHub projects, Google customers have several different options to help mitigate risks.

[Google Cloud customers can use Container Analysis to perform vulnerability scanning and metadata](https://cloud.google.com/container-analysis/docs)
[storage for containers and the Web Security Scanner in the Security Command Center to identify](https://cloud.google.com/security-command-center/docs/concepts-web-security-scanner-overview)
security vulnerabilities in their App Engine, Google Kubernetes Engine, and Compute Engine web
applications. The scanner will crawl applications, following all links within the scope of the starting URL
and attempt to exercise as many user inputs and event handlers as possible.

In addition to the Web Security Scanner, Google Cloud customers have additional resources including:

  - A variety of [access control options within Compute Engine including using](https://cloud.google.com/compute/docs/access) [service accounts to](https://cloud.google.com/compute/docs/access/service-accounts)
authenticate apps instead of using user credentials.

  - [Policy Intelligence tools to help understand and manage policies to proactively improve](https://cloud.google.com/iam/docs/policy-intelligence-tools)
security configurations.

##### For more information visit gcat google com


-----

- Pre-defined configurations through [Assured Workloads](https://cloud.google.com/assured-workloads) to reduce the risk of accidental
misconfigurations by choosing from available platform security configurations, controls can be
put in place.

- [Conditional alerts in the Cloud Console to determine when resource consumption exceeds](https://cloud.google.com/monitoring/alerts/ui-conditions-ga)
certain thresholds.

- [Enforcing and monitoring password requirements for their users through the Google Admin](https://support.google.com/cloudidentity/answer/139399?hl=en)
console.

- [Recommendations for designing online applications with a password-based authentication](https://cloud.google.com/solutions/modern-password-security-for-system-designers.pdf)
system.

- [Best practices for configuring Cloud environments.](https://cloud.google.com/security/best-practices?hl=en)

##### For more information visit gcat google com


-----

##### APT28/Fancy Bear launched Gmail phishing campaign

**Threat Description / TTPs**

Based on research from TAG, the Russian government-backed attackers APT28 / Fancy Bear, which
more recently has typically targeted Yahoo! and Microsoft users, was observed at the end of
September sending a large-scale attack to approximately 12K+ Gmail accounts in a credential phishing
campaign. Google blocked these messages and no users were compromised.

[The attackers were using patterns similar to TAG’s government-backed atack alert](https://support.google.com/a/answer/9007870?hl=en) ts to lure users to
change their credentials on the attacker’s controlled phishing page. The attackers kept changing the
emails’ subject line but attackers used a variation of Critical security alert. The email body
contained the information shown in Figure 2.

Figure 2: Email body from phishing campaign
```
    There's a chance this is a false alarm, but we believe that
    government-backed attackers may be trying to trick you to get your Account
    password. We can't reveal what tipped us off because these attackers will
    adapt, but this happens to less than 0.1% of all users. If they succeed,
    they can spy on you, access your data, or take other actions using your
    account. We recommend change you password.

```
The credential phishing page, which is shown in Figure 3, appeared similar to a Gmail login page.

Figure 3: Credential Phishing Page

##### For more information visit gcat google com


-----

Upon closer inspection, TAG observed that the fonts in the phishing page did not match the fonts on
the legitimate Google owned page. This was because the attackers tried to reuse their Yahoo! toolkit
and left various Yahoo! artifacts in the Gmail HTML login page, including a specific version of Yahoo's
CSS which uses a different font making the page look slightly different. This is shown in Figure 4.

Figure 4: Artifacts from login page

The phishing messages were sent from what appeared to be compromised mail servers. This was a
change from the previous Yahoo! campaigns, which predominantly used some variant of spoofing to
send emails. In the Gmail campaigns, the majority of messages passed SPF and even the ones that did
not appeared to be misconfigured servers rather than the usual spoofing. Table 3 displays the SPF
breakdown for attacker messages.

##### For more information visit gcat google com


-----

Table 3: SPF breakdown

One significant difference between legitimate emails from the compromised mail servers and phishing
messages was the domain part of MessageId which is different and unique for every email address
domain.

Highly targeted regions for this particular campaign include the United States, United Kingdom, and
India. Other noteworthy regions include Canada, Russia, Brazil, and members of the European Union.
Figure 5 depicts the targets for this particular campaign.

Figure 5: Heatmap of targets for this particular campaign

##### For more information visit gcat google com


Figure 5: Heatmap of targets for this particular campaign


-----

**Strategic Significance**

**Phishing and spear phishing campaigns continue to use login pages that impersonate legitimate**
**Google login pages to steal credentials. While many fake pages may appear similar to Google’s own**
page, a close inspection of URLs, certificates, fonts, and graphics will identify discrepancies.

**Google Cloud Specific Mitigations**

[As with all phishing and spear phishing threats, Google customers should engage in best practices.](https://support.google.com/a/answer/9157861?hl=en)
Google [Safe Browsing will help secure many users; however, Workspace customers and Gmail users](https://safebrowsing.google.com/)
[should validate that they are providing credentials to legitimate Google sites, employ two-factor](https://www.google.com/landing/2step/)
[authentication, and enroll in the Advanced Protection Program, whenever possible.](https://www.google.com/landing/2step/)

Customers may also use [Google’s Work Safer, which provides companies with access to best-in-class](https://workspace.google.com/lp/work-safer/)
security for email, meetings, messages, documents, and more. Work Safer brings together
Cloud-native, zero-trust solutions of Google Workspace with [BeyondCorp Enterprise](https://services.google.com/fh/files/misc/bce-protected-profiles-whitepaper.pdf) for secure access
with integrated threat and data protection.

##### For more information visit gcat google com


-----

#### Fraudsters employ new TTP to abuse Cloud resources

Based on research from TAG, a group of attackers were observed abusing Cloud resources to generate
traffic to YouTube for view count manipulation. Attackers have been using various approaches to gain
free Cloud credits, including using free trial projects, abusing start up credits with fake companies, and
joining Google Developer Community for free projects. A group of attacker’s TTP for exploiting payment
was discovered recently by Google Cloud’s abuse team. Attackers were able to use free credits by
making small credit card payments and declining the payment afterward. Upon cloud abuse
enforcement, the attacker quickly switched to Qwiklab projects and the Google Cloud abuse team
pivoted to counter this offensive.

**Strategic Significance**

**Attackers have continued to exploit Google Cloud projects where free credits were provided to**
**engage in traffic pumping to YouTube, and there is a likelihood that attackers will continue to**
**exploit Cloud instances for the same purpose. Attackers, who gain access to legitimate Cloud**
instances, will exploit the platforms for various forms of financial gain. Cloud customers who are not
mindful of the consumption of their Cloud resources could be unwittingly abused.

**Google Cloud Specific Mitigations**

Aside from [best practices of ensuring accounts always have strong passwords, updating third-party](https://support.google.com/cloud/answer/6262505)
software prior to a Cloud instance being exposed to the web, and not publishing credentials in GitHub
projects, Google Cloud customers have several different options to help mitigate risks.

[Google Cloud customers can use Container Analysis to perform vulnerability scanning and metadata](https://cloud.google.com/container-analysis/docs)
storage for containers and the [Web Security Scanner in the Security Command Center to identify](https://cloud.google.com/security-command-center/docs/concepts-web-security-scanner-overview)
security vulnerabilities in their App Engine, Google Kubernetes Engine, and Compute Engine web
applications. The scanner will crawl applications, following all links within the scope of the starting URL
and attempt to exercise as many user input and event handlers as possible.

In addition to the Web Security Scanner, Google Cloud customers have additional resources including:

  - A variety of [access control options within Compute Engine including using](https://cloud.google.com/compute/docs/access) [service accounts to](https://cloud.google.com/compute/docs/access/service-accounts)
authenticate apps instead of using user credentials.

  - [Policy Intelligence tools to help understand and manage policies to proactively improve](https://cloud.google.com/iam/docs/policy-intelligence-tools)
security configurations.

  - Pre-defined configurations through [Assured Workloads](https://cloud.google.com/assured-workloads) to reduce the risk of accidental
misconfigurations by choosing from available platform security configurations—we’ll help put
the controls in place.

  - [Conditional alerts in the Cloud Console to determine when resource consumption exceeds](https://cloud.google.com/monitoring/alerts/ui-conditions-ga)
certain thresholds.

  - Tools to [enforce and monitor password requirements for their users](https://support.google.com/cloudidentity/answer/139399?hl=en) through the Google Admin
console.

  - These [recommendations](https://cloud.google.com/solutions/modern-password-security-for-system-designers.pdf) for designing online applications with a password-based
authentication system.

  - [Best practices for configuring Cloud environments.](https://cloud.google.com/security/best-practices?hl=en)

##### For more information visit gcat google com


-----

##### North Korea targets users by posting as employment recruiters

**Threat Description / TTPs**

[TAG observed a North Korean government-backed attacker group that previously targeted security](https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/)
[researchers posing as recruiters at Samsung and sending fake job opportunities to employees at](https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/)
multiple South Korean information security companies that sell anti-malware solutions.

The emails included a PDF allegedly claiming to be of a job description for a role at Samsung; however,
the PDFs were malformed and did not open in a standard PDF reader. When targets replied that they
could not open the job description, attackers responded with a malicious link to malware purporting to
be a “Secure PDF Reader” stored in Google Drive which has now been blocked. An example of the
initial email can be seen in Figure 6.

Figure 6: Email example used by the attackers

The Secure PDF Reader was a modified version of [PDFTron](https://www.pdftron.com/) which attempted to decode an embedded
Portable Executable (PE) and PDF from a supplied PDF. The PE was XOR encoded with a single-byte
key and in this case drops an implant, which uses a legit but exploited South Korean website for
Command and Control (C2) and affords the attackers various capabilities like being able to execute
arbitrary commands and upload files. A screenshot of the modified PDFTron reader after opening one
of the malformed PDFs can be seen in Figure 7.

##### For more information visit gcat google com


-----

Figure 7: Modified PDFTron reader used in campaign

This is not the first time this attacker has modified a PDF viewer. A modified version of SumatraPDF was
used last year, which used the hash of the malformed PDF as a key to decrypt and drop an implant and
legitimate PE that were embedded within the viewer itself. Other groups were recently seen using a
similar technique of providing a malicious PDF viewer to view malformed PDFs.

**Strategic Significance**

**PDFs and associated viewers remain an attack tactic used by various groups. Social media**
postings on sites such as LinkedIn continue to be a source of information for technical professionals.
Phishing and spear phishing campaigns continue to use login pages that impersonate legitimate
Google login pages to steal credentials. While many fake pages may appear similar to Google’s own
page, a close inspection of URLs, certificates, fonts, and graphics will identify discrepancies.

**Google Cloud Specific Mitigations**

[As with all phishing and spear phishing threats, Google Cloud customers should engage in best](https://support.google.com/a/answer/9157861?hl=en)
[practices. Additionally, Workspace customers and Gmail users should validate that they are providing](https://support.google.com/a/answer/9157861?hl=en)
credentials to legitimate Google sites, [employ two-factor authentication, and enroll in the Advanced](https://www.google.com/landing/2step/)
[Protection Program, whenever possible.](https://landing.google.com/advancedprotection/)

[While Google Safe Browsing](https://safebrowsing.google.com/) can provide one layer of defense, customers may also use [Google’s Work](https://workspace.google.com/lp/work-safer/)
[Safer, which provides companies with access to best-in-class security for email, meetings, messages,](https://workspace.google.com/lp/work-safer/)
documents, and more. Work Safer brings together Cloud-native, zero-trust solutions of Google
Workspace with [BeyondCorp Enterprise for secure access with integrated threat and data protection.](https://services.google.com/fh/files/misc/bce-protected-profiles-whitepaper.pdf)

##### For more information visit gcat google com


-----

##### Black Matter ransomware rises out of DarkSide

**Threat Description / TTPs**

Based on research from Google Cloud Threat Intelligence for Chronicle, Black Matter, the successor of
DarkSide, is one of many ransomware families currently being used to extort money from victims by
locking their files using encryption. While Black Matter is considered a relatively new player in this
space, evidence suggests it is merely the immediate offspring of DarkSide.

At its core, Black Matter is a configurable, whole-system and network share encryption tool capable of
encrypting files on a victim’s hard drive in a relatively short period of time by distributing the workload
across multiple threads. Like most ransomware, it is less about the core encryption mechanism that
defines the malware and more about the ancillary support code that makes the malware novel.

Black Matter is highly configurable and allows for a very targeted deployment. The configuration
contains the ability to whitelist files, directories, extensions and even entire computers based on their
names. It is possible for an attacker to supply known credentials to the malware in order to allow the
malware to access higher privileges and additional network resources.

**Despite the warning given to victims in the ransom note dropped by the malware, Black Matter**
**did not have the ability to exfiltrate data at the time this research was performed. The malware**
was only capable of reporting statistics of its operations, such as total number of files found, number
of files not encrypted, duration of operation, etc., in addition to the details about the victim’s computer,
_e.g., hostname, language, operating system, drive details, etc. This lack of exfiltration capability could_
very well indicate that the deployment of Black Matter on a victim’s computer occurred after the
attacker(s) had already gained access to the victim’s infrastructure. This claim is further supported by
the fact that the malware can be configured with target specific credentials and ransom notes that
include very specific target server information.

The malware does not provide a significant barrier to analysis as it does not employ sophisticated
anti-analysis techniques such as packers, cryptors, or code flow manipulation. The malware does use
hashing to frustrate analysis as strings are not present - only their hash values are.

On the whole, Black Matter is a formidable ransomware family. As with any other ransomware, the use
of heavy encryption makes recovery of files nearly impossible without paying for the decryption tool.
The use of multiple threads and asynchronous operations allows the malware to quickly compromise
the victim’s local computer and networked resources, if configured. The malware also deletes all files
within the victim’s Recycle Bins on all attached drives before deleting all Shadow Copy files. This is an
effective means of destroying backups of files that are soon to be encrypted. After all encryption
operations have been completed, and the reporting configuration option is enabled, the malware
reports statistics to its Command and Control (C2) server.

**Strategic Significance**

**The presence of Black Matter ransomware on a network is an indication that a network has**
**been compromised through another means. Given that the malware does not have the capability to**
upload files to a C2 server, it is highly likely that the attacker(s) had prior access to the victim’s

##### For more information visit gcat google com


-----

infrastructure prior to deploying the ransomware. Incident response teams should look for additional
indicators of compromise. Google has received reports that the Black Matter ransomware group has
announced it will shut down operations given outside pressure. Until this is confirmed, Black Matter
still poses a risk.

**Google Cloud Specific Mitigations**

[As with all ransomware threats, Google customers should engage in best practices](https://support.google.com/a/answer/9157861?hl=en) with respect to
common attack vectors, e.g., email and phishing campaigns. Detection of Black Matter is largely
unnecessary as the malware will make its existence known to the victim; however, being able to detect
compromised computers that might not be normally touched by users, e.g., will be beneficial. Google
customers may upload the YARA-L2 rules that appear in Table 4 into [Chronicle.](https://chronicle.security/enterprise-security/)

Table 4: YL2 rules to detect Black Mater ransomwaret
```
 rule UC_ttp_BlackMatter__RegKeys {
  meta:
   author = "Google Cloud Threat Intelligence"
   description = "Known registry keys used by Black Matter"
  events:
   // Modifying the privacy settings screen settings
   ($e.principal.registry.registry_key = /software\\policies\\microsoft\\windows\\oobe/ nocase
 and
   $e.principal.registry.registry_value_name = "disableprivacyexperience" nocase) or
   // Storing the screen's resolution in the registry
   ($e.principal.registry.registry_key = /SOFTWARE\\[A-Za-z0-9]{8}/ and
   ($e.principal.registry.registry_value_name = /hScreen/ or
   $e.principal.registry.registry_value_name = /vScreen/ )) or
   // RunOnce key
   ($e.principal.registry.registry_key =
 /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce/ nocase and
   $e.principal.registry.registry_value_name = /[A-Z]{3}[0-9]{3}[a-z]{3}/ )
 condition:
   $e
 }
 rule UC_ttp_BlackMatter__SafeBoot {
  meta:
   author = "Google Cloud Threat Intelligence"
   description = "Detects a machine's configuration being changed to safe boot"
   ext_description = "Known command line for Black Matter's SafeBoot"
  events:
   ($e.principal.process.file.full_path = /bootcfg/ nocase and
   ($e.principal.process.command_line = /\/raw \/a \/safeboot:network \/id 1/ or
   ($e.principal.process.command_line = /\/raw \/fastdetect \/id 1/)) or
   ($e.principal.process.file.full_path = /bcdedit/ nocase and
   ($e.principal.process.command_line = /\/raw \/set \/{current\} safeboot network/ or
   $e.principal.process.command_line = /\/raw \/deletevalue \{current\} safeboot/)))
 condition:
   $e
 }

##### For more information visit gcat google com

```

-----

### Recommendations

Google Cloud continues to operate within a "

Cloud’s recommendations based upon incidents that it helped address:

basis. An audit of published projects can ensure that this mistake does not happen.

**Code downloaded by clients should undergo hashing authentication.**

source code to be pulled into production. By hashing and verifying all downloads, the
[software supply chain can be preserved and an effective](https://www.iso.org/obp/ui/#iso:std:iso:22095:dis:ed-1:v1:en)

ubiquitous access. In addition to
their environment through [Context-Aware Access](https://support.google.com/a/answer/9275380?hl=en)
[Work Safer.](https://workspace.google.com/lp/work-safer/)

Table 5: Observed risks and countermeasures

|Risk|Countermeasures|
|---|---|
|Exploiting vulnerable GCP instances|Follow password best practices and best practices for confgi uring Cloud environments. Update third-party software prior to a Cloud instance being exposed to the web. Avoid publishing credentials in GitHub projects. Use Container Analysis to perofrm vulnerability scanning and metadata storage. Leverage Web Security Scanner in the Security Command Center to identify security vulnerabilities in App Engine, Google Kubernetes Engine, and Compute Engine. Use service accounts with Compute Engine to authenticate apps instead of using user credentials. Implement Policy Intelligence tools to help understand and manage policies. Use predefni ed confgi urations through Assured Workloads to reduce misconfgi urations.|


##### For more information visit gcat google com


-----

|Col1|Set up conditional alerts in the Cloud Console to send alerts upon high resource consumption. Enforce and monitor password requirements for users through the Google Admin console.|
|---|---|
|Spear-phishing|Engage in email best practices. Employ 2-Step Verifci ation. Enroll in the Advanced Protection Program.. Use Google’s Work Safer and BeyondCorp Enterprise. Deploy Context-Aware Access.|
|Downloading software updates|Establish a strong chain of custody by hashing and verifying downloads.|
|Using public code repositories|Audit projects published on GitHub and other sites to ensure credentials and certifci ates were not included.|


For additional information about Google’s Cybersecurity Action Team and best practices, please visit
[gcat.google.com.](https://gcat.google.com)

##### For more information visit gcat google com


-----

##### Threat Horizons
 Google Cloud
#### © November 2021

##### For more information visit gcat google com


-----