Google Cloud adds new cryptomining threat detection capability

Google has launched today a new security feature for Google Cloud tenants that is meant to detect and block cryptomining operations that may be taking place behind the owners' backs.

Named Virtual Machine Threat Detection (VMTD), Google said this new feature is an agentless system that continually scans the memory of virtual machines deployed in Google Cloud environments for tell-tale signs of increased CPU or GPU usage—specific to cryptomining operations.

To avoid false-positive detections, the feature has been left disabled by default; however, any customer can enable it for their GCP VMs. They can do this by going to the Settings page of their Security Command Center and looking under the Manage Settings section.

Google said the feature will only work with non-sensitive memory, and VMTD will not process memory from nodes marked as "Confidential."

VMTD has begun rolling out today for public preview, so tenants are recommended to enable it for smaller portions of their nodes and keep a close eye on its impact on performance.

"Over the next months as we move VMTD towards general availability, you can expect to see a steady release of new detective capabilities and integrations with other parts of Google Cloud," said Timothy Peacock, Product Manager for Google Cloud.

Once the feature reaches general availability and is deemed stable, VMTD will most likely become a must-use security feature.

In a report published last year, the Google Cloud team said that after analyzing 50 recently compromised GCP instances, 86% were infected with cryptomining payloads that hijack tenants' resources such as the CPU or RAM to mine cryptocurrency for the attacker.

In many cases, these attackers enter customer accounts through one misconfigured system and then expand to entire internal networks, so administrators will most likely have to enable VMTD even for systems that are not directly available via the internet, just to be sure.