I am not mining cryptocurrency - Google Project has been suspended due to mining crytocurrency

[Sushanth Bobby]

Hi,

Today afternoon i received a email stating that my project has been suspended due to mining cryptocurrency. Below are the things i have in the project,

1. appEngine to trigger cloud functions which sort of says time and hello world( as i am learning how to google cloud platform performs).

2. Multiple cloud functions as i am learning how to write cloud functions. One background function i wrote yesterday would scrape a website and populates the data in firebase.

3. Cron job for appEngine in 1.

Thats it. Seriously i don't know how to buy bitcoins or any other coins. I am a mainframe Db2 DBA learning GCP lured into this cloud platform by firebase(curiosity of how real time database works). 

Please don't delete the project. 

Below is the message i got in the mail.

We’ve recently detected activity on your Google Cloud Platform / APIs project that violates our Terms of Service or Acceptable Use Policy.

Specifically, your project btd-in (id: btd-in-16062018) VM  square-pond-9204:europe-north1-b, curly-cloud-4055:australia-southeast1-c, polished-violet-5080:us-west2-c, plain-brook-1468:southamerica-east1-a, calm-disk-9876:europe-west1-b, billowing-cake-8163:asia-east1-a, muddy-hat-5113:us-east4-a, aged-dew-9479:europe-west2-a, autumn-wind-6027:asia-south1-b, withered-pond-3670:northamerica-northeast1-a was suspended for violating our Free Terms of Service by mining cryptocurrency between 2018-07-16 22:20 and 2018-07-16 22:41 (Pacific Time).

Thanks,

Sushanth

[Theodore Y. Ts'o]

On Tue, Jul 17, 2018 at 08:56:29AM -0700, Sushanth Bobby wrote:
> Thats it. Seriously i don't know how to buy bitcoins or any other coins. I
> am a mainframe Db2 DBA learning GCP lured into this cloud platform by
> firebase(curiosity of how real time database works).
>
> Please don't delete the project.
>
> Below is the message i got in the mail.
>

> ...

>
> Specifically, your project btd-in (id: btd-in-16062018) VM
> square-pond-9204:europe-north1-b, curly-cloud-4055:australia-southeast1-c,
> polished-violet-5080:us-west2-c, plain-brook-1468:southamerica-east1-a,
> calm-disk-9876:europe-west1-b, billowing-cake-8163:asia-east1-a,
> muddy-hat-5113:us-east4-a, aged-dew-9479:europe-west2-a,
> autumn-wind-6027:asia-south1-b,
> withered-pond-3670:northamerica-northeast1-a was suspended for violating
> our Free Terms of Service by mining cryptocurrency between 2018-07-16
> 22:20 and 2018-07-16 22:41 (Pacific Time).

This message seems to indicate that you had Virtual Machines (VM's)
running in several different GCE Regions (in Europe, Australia, Asia,
US, etc.)

If you don't think you started all of these VM's, you might want to
consider whether or not your account has been compromised. Something
thing which is apparently quite common is that bad actors will either
find ways to exploit security holes in the OS's of the VM's, and then
"take them over" and use them for mining cryptocurrency. Or, if they
can break into your Google account, they can just simply start VM's
using your billing account and mine cryptocurrencies on your credit
card. So suspending your account might have saved you a lot of money. :-)

You might want to consider doing a password change on your account,
and if you use the same password on any other web sites or services,
to change your password on all of those systems as well --- just in
case.

Cheers,

- Ted

[Fady (Google Cloud Platform)]

In addition to Ted’s suggestions, you may check this article about connecting securely to your virtual machines.

As for reactivating the project, and per this document, when a project is suspended “The owner of a suspended project will receive a notification email from google-clou...@google.com with resources to appeal.”  Thus, you need to check the instructions in the email to appeal by replying to it.

As a side note, mining cryptocurrency per the service agreement, is not allowed while in free trial and should not be the case for paid accounts.

[Sushanth Bobby]

Thank You Ted & Fady.

I suspect this is what could have happened. On monday just to synchronize my work in the laptop to github, i did a git push. Firebase service account key also got uploaded into github. 

Miners could have got hold of this and used it. Can you confirm if firebase service account key can be used to create a compute engine VM. I think free trial amount also got reduced a bit not sure how much exactly got reduced as i couldn't see the billing transactions. 

I will be careful with the service account key going forward. 

To my surprise, i was not able to access any services in GCP but was able to access firebase. Since iam in testing phase only, i could regenerate the data in firebase. But i really want to get the code of functions which i had written. Below is the sequence of things that has happened. 

1. On monday, i had written cloud functions to test and once the test was successful i have committed the changes to github( by mistakenly i have uploaded the service accountkey as well). 

2. After few minutes, i had improved my cloud functions code and tested it multiple times by deploying. ( My big mistake i did not commit or push this change to github, new code is available in cloud functions in the suspended project)

3. Git Guardian sent a mail saying there is an API key. So proceeded to delete that key from browser from different machine. 

4. When i came home, tried to push the change to github there is a conflict. So i had to pull the change from github which erased all my code in the laptop. So currently new code is only available in google cloud functions source tab.

Currently, this is what i have done,

1. reset my google account password

2. generated a new firebase service account key( not sure if this make the old service account key unusable, can you please confirm on this) 

3. Raised a bug ticket 111573336, as i was able to access project which was suspended in GCP but able to access the same in firebase. (Status : New, type: bug p4 S2)

Can you please unsuspend the BTD project, specifically the functions( i want to just copy the code from source tab ). 

Please let me know how to proceed. 

 

 

[Ani Hatzis]

Hi,

I suggest to read these two very helpful articles: Choosing a secret management solution (Cloud KMS) and Storing secrets. The first one explains different options you have to store secrets in an App Engine application securely. Basically, you either store the secret (like a service account) outside of the repository, or you encrypt them (with Cloud KMS or other solution) before adding them to a repository.

--
© 2018 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.
To post to this group, send email to gce-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/d89df4a9-5c23-48c0-96e7-4a624b9da47f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Ani Hatzis

Consultant and developer for Google Cloud solutions

[Theodore Y. Ts'o]

On Tue, Jul 17, 2018 at 09:33:02PM -0700, Sushanth Bobby wrote:
>
> I suspect this is what could have happened. On monday just to synchronize
> my work in the laptop to github, i did a git push. Firebase service account
> key also got uploaded into github.
>

> Miners could have got hold of this and used it.* Can you confirm if
> firebase service account key can be used to create a compute engine VM.* I

> think free trial amount also got reduced a bit not sure how much exactly
> got reduced as i couldn't see the billing transactions.
>
> I will be careful with the service account key going forward.

I've never used firebase before, but the service account key in GCP
can be very fine-grained, so you can make a key only be for specific
operations (such as creating a VM, uploading and deleting objects into
Google Cloud Storage, etc.) --- or you can make a key that be used for
any GCP operation. Using fine-grained authorizations is a best
security practice, but it's more work to get the fine-grained
authorizations exactly right. So some users might use a "wild-carded"
service key. That's arguably a bad idea whether or not you upload it
to github.

That being said, if you don't *know* that this was the path where you
might have been compromised, in general my personal preference is when
I'm not sure whether or not I might have been exposed from a security
exposure, I will do a full security refresh --- up to and including,
reinstalling my laptop software, creating new ssh keys and updating
all of my ssh authorized_keys to use the ssh keys, poossibly creating
new gpg keys (the private key for my gpg key is stored off-line, and I
use hardware tokens to protect my ssh and gpg keys),t and I would then
do a full password change cycle. I also use a U2F token so there is
two-factor authentication to get access to my Google account.

I'm super paranoid, because if people can gain access to my security
credentials, they could potential upload malicious backdoors to key
Linux software. But in general, it's better to be safe rather than
sorry.

> 2. After few minutes, i had improved my cloud functions code and tested it
> multiple times by deploying. ( My big mistake i did not commit or push this
> change to github, new code is available in cloud functions in the suspended
> project)
> 3. Git Guardian sent a mail saying there is an API key. So proceeded to
> delete that key from browser from different machine.
> 4. When i came home, tried to push the change to github there is a
> conflict. So i had to pull the change from github which erased all my code
> in the laptop. So currently new code is only available in google cloud
> functions source tab.

So did you commit the change anywhere, on any of your git client? If
so, you might be able to recover by using "git reflog". See the
man-page for git-reflog, but the key thing to remember is that git a
distributed source code management system. So the copy of the git
repo on your desktop, the laptop, and github all have a complete copy
of the history of your software. If you made a commit, even if you
end up repositioning the git branch heads, it's possible to find old
commits if they exist on the particular copy of the repository.

In general I will tend to create explicit commits before I test
changes, and I will use "git commit --amend" while I am working on a
particular feature. Using this model, I can get access to older
versions by using "git reflog".

Other people like to only do commits when they are "perfect" (as
opposed to constantly ammending commits and only pushing changes to
publically visible repo's such as github when I am satisified the
commit is "done"). If you do this, and you need to pull a change, and
the change is only in your working files, you can use "git stash" to
temporarily save file changes, do a pull, and then do a "git stash
pop" or "git stash apply" to attempt to apply the file changes on top
of the pulled changes.

So a lot this is about how to use git, and it sounds like you may not
have been aware of all of the ways git can be used to manage changes
in your repo.

> Can you please unsuspend the BTD project, specifically the functions( i e

> want to just copy the code from source tab ).

To be clear, I don't speak for Google, and I don't have the power to
make the changes you are requesting. Your best bet is to go through
official GCP support channels.

Cheers,

- Ted

[Sushanth Bobby]

Thank You Ani, i will have a look at KMS.

[Sushanth Bobby]

Thank You Ted for your detailed reply, i will have look on how to reduce the scope of the service-account to a specific Google product that is a good idea, i didn't know i can do that, thanks for letting me know.

As soon as the issue occured, i have changed my google account password and today google unsuspended the project, i have disabled billing for the project and after copying the codes from google functions, i have shutdown the project. Looking at the billing, it sort of looks like people really did mine(so many compute engines in so many regions)

I hope Service Account key is only to specifc project not the overall GCP like one key for all the projects.

At the moment i am minimally using github as i have just started to use it. I do regular commits whenever i think i have progressed a litle bit. I'll check the man-pages on the commands you have mentioned. Thanks again.

[shuve...@medvarsity.com]

Hi Support, 

I also same alert from google cloud server. Where as my servers are on compute engine.  Error is link this "Suspicious Activity observed on your Google Cloud Platform/API project OpenEd (id: opened-161713").  

==============================================

This activity was detected as originating from VM kitestage-vm:asia-south1-c between 2019-05-05 08:56 and 2019-05-05 09:03 (Pacific Time), though it may still be ongoing.

We recommend that you review this activity to determine if it is intended. Cryptocurrency mining is often an indication of the use of fraudulent accounts and payment instruments, and we require verification in order to mine cryptocurrency on our platform.

===========================================

could you please help us in resolving this issue asap.

Thanks

[Ashik M]

Hi

This Google group is a place where we can discuss general product issues and ideas with the platform and not the best channel to reach Google Cloud Platform support for specific project level issues.

Even though the errors may be similar, the root causes may be different. Our community member Ted 

Ted and Fady  from Google Cloud Platform team have provided resources and context you should review above. The posts date from on 7/17/18.

For privacy and policy reasons, we cannot investigate the OS-level issues in your VM related to this suspicious Activity alert.

If you'd like to contact support, please follow the guide here [1] 

[1] https://cloud.google.com/support-hub/#google-cloud-platform

[nurul akter]

Then google should stop calling it crypto mining. this kind of false warning can cost one's reputation in company. 

[Vedika Parvez]

Hey!

GCP suspended my instance on the pretext of mining cryptocurrency on the 3rd of August 2020. In fact, my instance has not been reinstated yet, and I am writing to seek help on the matter. 

Details of my instance are:

Machine Type: n1-standard-8 (8 vCPUs, 30 GB memory) 

Zone: us-west1-b

Last used on: 3rd August 2020

The three-question I have:

1. How do I get my instance reinstated along with its project files? I have submitted an appeal for the same, however, have not received a response.
2. What was the issue with my instance? 
3. What measures should I take to avoid this situation in the future?

I came across this article on Stack Overflow https://stackoverflow.com/questions/61713699/google-banned-the-project-believing-that-it-has-cryptocurrency-mining detailing a similar issue but it had no responses.

I recognize that this Google group is a place where general product issues and ideas with the platform are discussed, and may not be the best channel to reach Google Cloud Platform support for specific project-level issues, but my issue is very similar to the one discussed above and I’m hoping to receive a follow up on my message too.

For further context, this was the email I received from GCP:

We've detected that your Google Cloud Project (project name & id) IP (address not disclosed) is violating the Supplemental Terms and Conditions For Google Cloud Startup Program by engaging cryptocurrency mining, resulting in the suspension of all project resources displaying this behavior.

Abuse Details:

• Origin: (project name & id) / (IP address not disclosed)
• Time frame: 2020-08-03 01:35 to 2020-08-03 01:42 (Pacific Time)

Requesting you to help me out with this.

[Frederic Gervais]

Hello vedika,

Please refer to  Anthony’s comment [1] regarding the next steps you can take to solve your current issue. This includes setting up a billing account as mentioned in his comment.

Regards,

Frederic

Google Cloud Platform Support, Montreal

[1] https://groups.google.com/d/msg/gce-discussion/fOlpqEZQG1U/lFBGIJHNAQAJ