Virtual Machine Threat Detection at first will target cryptominers running on virtual servers. Detecting ransomware, Trojans, and other malware is coming. Credit: Natali Mis / Getty Images As more enterprise computing workloads are moving to the cloud, so are the attackers. Virtual servers have been targeted by cryptomining and ransomware groups over the past few years, and they typically don’t benefit from the same levels of protection as endpoints. Google has set to change that with VM-based threat detection for its cloud computing platform.When it comes to cloud computing, efficiency and flexibility are very important. Servers are scaled based on the workloads they are expected to run. Any additional security scanning and monitoring that requires a software agent running inside the virtual machines would add overhead and consume CPU cycles and memory.That’s the problem that Google tries to solve with its new Virtual Machine Threat Detection (VMTD) feature offered as part of the Security Command Center on its Computer Engine. “For Compute Engine, we wanted to see if we could collect signals to aid in threat detection without requiring our customers to run additional software,” Timothy Peacock, product manager with Google Cloud said in a blog post. “Not running an agent inside of their instance means less performance impact, lowered operational burden for agent deployment and management, and exposing less attack surface to potential adversaries.” How does VMTD work?VMTD runs at the hypervisor level and has direct access to the memory of virtual machines instrumented by that hypervisor. This gives the technology another benefit: It cannot be tampered with by malware running inside the VM, even if the malicious program has administrative privileges. Many malware programs have built-in routines that try to disable known security scanners running on the same system to evade detection.VMTD works as a managed service that will run periodic scans of Compute Engine projects and the live memory of VM instances using Google’s threat detection rules. During the technology preview stage, the detection is aimed primarily at cryptomining programs, which are one of the most common malware threats deployed by attackers on compromised servers. According to the latest threat report from Google’s Cybersecurity Action Team, cryptocurrency mining programs were observed on 86% of all compromised cloud instances. VMTD will analyze software running inside VMs using a list of application names, per-process CPU usage, hashes of memory pages, CPU hardware performance counters and information about executed machine code to find matches to known cryptomining signatures. In the future, as it approaches general availability release, the service will gain new detection capabilities for other types of threats, such as ransomware and data exfiltration Trojans, and will be integrated with other parts of Google Cloud.For now, VMTD is available as an opt-in service for Security Command Center Premium subscribers. Customers can define a scope for the scans, but the technology does not process the memory of confidential computing nodes, which encrypt memory to protect sensitive workloads.“VMTD complements the existing threat detection capabilities enabled by the Event Threat Detection and Container Threat Detection built-in services in SCC Premium,” Peacock said. “Together, these three layers of advanced defense provide holistic protection for workloads running in Google Cloud.” Event Threat Detection is a service that monitors the Google Cloud and Google Workspace logs for signs of malicious threats and Container Threat Detection allows users to detect runtime attacks inside containers instead of virtual machines, such as the contents of executed shell scripts, indicators of reverse shells, new binaries and newly loaded libraries. Related content news Kroll cyber threat landscape report: AI assists attackers AI is simplifying all sorts of tasks — and not always for the better: cybercriminals, too, are adopting it. By Lynn Greiner May 24, 2024 4 mins Threat and Vulnerability Management Cybercrime Vulnerabilities news analysis Windows Recall — a ‘privacy nightmare’? The Windows AI feature announced by Microsoft this week quickly drew criticism for recording regular screenshots of a user’s screen; one security expert compared it to keylogging software. By Matthew Finnegan May 24, 2024 1 min Privacy feature What is spear phishing? Examples, tactics, and techniques Spear phishing is a targeted email attack purporting to be from a trusted sender. Learn how to recognize—and defeat—this type of phishing attack. By Josh Fruhlinger May 24, 2024 14 mins Phishing Cyberattacks Fraud news analysis Emerging ransomware groups on the rise: Who they are, how they operate New and developing ransomware gangs move to fill the void left by the shutdown and law enforcement disruption of big players, with differing tactics and targets. By Lucian Constantin May 24, 2024 6 mins Ransomware Cybercrime PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe