Security News > 2023 > March > Google Cloud Platform allows data exfiltration without a (forensic) trace
Attackers can exfiltrate company data stored in Google Cloud Platform storage buckets without leaving obvious forensic traces of the malicious activity in GCP's storage access logs, Mitiga researchers have discovered.
"In normal usage, files inside storage objects are read multiple times a day as part of day-to-day activity of the organization," Mitiga cloud incident responder Veronica Marinov noted.
She also detailed an example of a possible attack, which hinges on the threat actor gaining control over an employee's GCP user account belonging to the targeted organization, then granting that account permission to copy data to the threat actor's GCP organization by entering a simple command into Google's command line.
Those steps include defining a service perimeter around resources of Google-managed services to control communication to and between those services and using organization restriction headers to restrict cloud resource requests made from their environments.
"In case neither VPC Service Controls nor Organization restriction headers are enabled we suggest searching for the following anomalies: anomalies in the times of the Get/List events, anomalies in the IAM entity performing the Get/List events, anomalies in the IP address the Get/List requests originate from, and anomalies in the volume of Get/List events within brief time periods originating from a single entity."
It's unclear why Google choses not to differentiate between the different types of access in the logs when AWS does.
News URL
https://www.helpnetsecurity.com/2023/03/01/gcp-data-exfiltration/
Related news
- Google Cloud Expands Confidential Computing Portfolio (source)
- Google Cloud to make MFA mandatory by the end of 2025 (source)
- Google Cloud to Enforce Multi-Factor Authentication by 2025 for All Users (source)
- All Google Cloud users will have to enable MFA by 2025 (source)
- Google Cloud Cybersecurity Forecast 2025: AI, geopolitics, and cybercrime take centre stage (source)