Security News > 2023 > March > Google Cloud Platform allows data exfiltration without a (forensic) trace

Attackers can exfiltrate company data stored in Google Cloud Platform storage buckets without leaving obvious forensic traces of the malicious activity in GCP's storage access logs, Mitiga researchers have discovered.

"In normal usage, files inside storage objects are read multiple times a day as part of day-to-day activity of the organization," Mitiga cloud incident responder Veronica Marinov noted.

She also detailed an example of a possible attack, which hinges on the threat actor gaining control over an employee's GCP user account belonging to the targeted organization, then granting that account permission to copy data to the threat actor's GCP organization by entering a simple command into Google's command line.

Those steps include defining a service perimeter around resources of Google-managed services to control communication to and between those services and using organization restriction headers to restrict cloud resource requests made from their environments.

"In case neither VPC Service Controls nor Organization restriction headers are enabled we suggest searching for the following anomalies: anomalies in the times of the Get/List events, anomalies in the IAM entity performing the Get/List events, anomalies in the IP address the Get/List requests originate from, and anomalies in the volume of Get/List events within brief time periods originating from a single entity."

It's unclear why Google choses not to differentiate between the different types of access in the logs when AWS does.

News URL

https://www.helpnetsecurity.com/2023/03/01/gcp-data-exfiltration/