Google Cybersecurity Action Team Threat Horizons Report #4 Is Out!

Anton Chuvakin
Anton on Security
Published in
3 min readOct 12, 2022


This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our fourth Threat Horizons Report (full version) that we just released (the official blog for #1 report, my unofficial blog for #2, my unofficial blog for #3).

My favorite quotes from the report follow below:

  • “in Q2 threat actors frequently targeted weak and default-password issues for initial compromise, factoring in over half of identified Incidents.” [A.C. — that is not ‘Q2 of 1998’, that is 2022! Especially the ‘no credentials’ part, which to me smells like the 1980s, not even the 1990s]
Cloud Compromise Factors from TH #4 — Google Cloud
  • “Once inside, threat actors frequently engaged in cryptomining, accounting for nearly two-thirds of incidents (65%).” and “cryptominer attacks are often partially or fully automated, dramatically reducing their time to exploit an available vulnerability.“
  • “The high level of SSH activity suggests that organizations are using either no credentials or default credentials when spinning up cloud instances.” [A.C. — somebody from the IR firm whose name starts with ‘M’ told me the other week that ‘in the cloud, they still have the mid-2000s in regards to some security practices’ and this is a great, if sad, example of that!]
  • “The controls fail to identify the malware assets’ nefarious nature as they check the assets’ context and external characteristics, instead of exploring their content in more depth.” and “10% of well-known, popular websites are seen to be distributing malware. Malware “legitimacy” is inherited from credible hosts.“ [A.C. — this to me is a fun reminder that naïve badness ‘blocklists’ fail]
  • There is a lot of signed malware because “attackers often fraudulently accessed signing workflows or signing authorities to sign their code — increasing the likelihood of its downstream acceptance” [A.C. — the news here is not that they do, but that nasty “o” word — “often”]
  • “Kimsuky, a nation-state threat actor, has been observed by researchers at Volexity accessing user Gmail account data through a hidden Chrome browser extension known as SHARPEXT. The group […] was able to install a malicious browser extension via phishing, leveraging pre-authenticated browser activity to read and exfiltrate data from other services such as Gmail content” and “installation of a developer-mode browser extension which, through a DevTools workaround, has its security warnings suppressed and targets a user’s cloud-accessed data” [A.C. — this is reasonably notable, and fairly scary too!]
  • … and a useful reminder here that ”increased productivity provided by seamless SSO also provides broader access for attackers to otherwise confidential data.” [A.C. — ‘login once — get everywhere’ [if done wrong] heps both the good and bad actors, unless zero trust is also done well]
  • “they brute-forced the instance’s password and enrolled their own device in the NGO’s multi-factor authentication (MFA) process[A.C. — another reminder that MFA is not useful if anybody can enroll a malicious device into it]
  • “Threat groups have been observed leveraging compromised service account credentials to run expensive cryptomining workloads in customer environments, but greater concern would arise should they choose to keep these actions covert and leverage the access for other nefarious activities. ” [A.C. — to me, this reminds us that relying on attackers being very noisy for detection is not a great strategy]

Now, go and read the report!

Related posts: