Google Cloud launches agentless cryptojacking malware scanner

Google Cloud has announced a new security feature designed to hunt down instances of cryptojacking.

On Monday, the tech giant said the public preview of Virtual Machine Threat Detection (VMTD) is now available in the Security Command Center (SCC). The SCC is a platform for detecting threats against cloud assets by scanning for security vulnerabilities and misconfigurations. 

Timothy Peacock, Product Manager at Google Cloud, said that as organizations continue to migrate to the cloud, workloads are often handled with VM-based architectures. 

Cloud environments are also a prime target for cyberattackers seeking out valuable data, as well as those intending to execute cryptocurrency mining malware. 

Cryptocurrency miners such as XMRig are legitimate programs for mining coins. When in the hands of threat actors, cryptominers can be abused, however, and used without permission on cloud systems. 

In what is known as cryptojacking attacks, miners are deployed on compromised systems to steal the victim’s compute resources. Cryptocurrency including Monero (XMR) is often mined by cybercriminals in this way and coins are sent to wallets controlled by the malware’s operators. 

According to Google’s latest Threat Horizons report (.PDF), out of a sample of compromised instances, 86% were used for cryptocurrency mining and 10% were used to perform scans for other vulnerable instances.

To combat the specter of cryptojacking attacks against VMs operating in Google Cloud, the company’s VMTD solution will provide “agentless memory scanning” inside SCC.

“Traditional endpoint security relies on deploying software agents inside a guest virtual machine to gather signals and telemetry to inform runtime threat detection,” Peacock said. “But as is the case in many other areas of infrastructure security, cloud technology offers the ability to rethink existing models.”

Google’s approach is to instruct the hypervisor to collect signals that may indicate infection. VMTD will start as a means to detect cryptocurrency mining, but as it hits general availability, the system will be integrated with other Google Cloud functions. 

Users can choose to try out VMTD by enabling it in SCC settings. The service is opt-in and customers can choose the scope of the scanner. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0