Google is expanding its cloud platform with new protection against cryptomining. With this, the cloud specialist aims to put an end to common abuses.
Google is launching Virtual Machine Threat Detection (VMTD) for its cloud platform. VMTD is available as a preview within Security Command Center Premium. Google is responding to the prevalence of cryptomining when customers are victims of abuse with the new security layer. When an attacker accesses a GCP instance, it is abused for cryptomining in 86 percent of cases. In 58 percent of cases, it takes no more than 22 seconds to install cryptomining malware.
Security from the hypervisor
With VMTD, Google provides a targeted approach. The solution currently detects cryptomining attacks, but will reveal other forms of malware in the future. The security does not use an agent on the customer’s system, so the impact on performance remains low. Instead, it is integrated into the hypervisor. This makes the new service different from traditional endpoint security that does run on instances themselves.
Google emphasizes that VMTD does not use any CPU power of the customer’s VM and does not require access to the virtual machine. Thus, as a bonus, the security is immune to any malware on the VM itself. VM Thread Detection works in conjunction with Event Threat Detection and Container Threat Detection. Scans take place automatically. Detection is based on metadata from the memory of underlying virtual machines.
Three techniques
VMTD can currently detect cryptomalware based on three techniques. With Hash matching, the system compares the memory hashes of programs with those of known cryptocurrency software. Thus, the solution does not see what you as a client are doing, but alarm bells ring when a workload matches cryptomalware. Through YARA rules, Thread Detection looks for memory patterns that are characteristic of cryptomalware proof-of-workloads, for example. Finally, VMTD combines the above techniques for an hour to arrive at a single determination.
During the preview period, the new security works primarily on Linux with only limited support for cryptominders running on Windows instances. If you use Confidential VM, then your VM’s memory is additionally encrypted and VMTD cannot keep an eye on it from the hypervisor level.