Security News > 2023 > July > Google Cloud Build bug lets hackers launch supply chain attacks

A critical design flaw in the Google Cloud Build service discovered by cloud security firm Orca Security can let attackers escalate privileges, providing them with almost nearly-full and unauthorized access to Google Artifact Registry code repositories.
Dubbed Bad.Build, this flaw could enable the threat actors to impersonate the service account for the Google Cloud Build managed continuous integration and delivery service to run API calls against the artifact registry and take control over application images.
Still, their method to exploit this privilege escalation flaw was more complex, involving the use of the GCP API and exfiltrated Cloud Build Service Account access tokens.
"It's therefore important that organizations pay close attention to the behavior of the default Google Cloud Build service account. Applying the Principle of Least Privilege and implementing cloud detection and response capabilities to identify anomalies are some of the recommendations for reducing risk."
Google Cloud Build customers are advised to modify the default Cloud Build Service Account permissions to match their needs and remove entitlement credentials that go against the Principle of Least Privilege to mitigate the privilege escalation risks.
In April, Google also addressed a Google Cloud Platform security vulnerability dubbed GhostToken that let attackers backdoor any Google account using malicious OAuth applications.
News URL
Related news
- Google acquisition target Wiz links fresh supply chain attack to 23K pwned GitHub repos (source)
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)
- China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access (source)
- Silk Typhoon hackers now target IT supply chains to breach networks (source)
- SANS Institute Warns of Novel Cloud-Native Ransomware Attacks (source)
- GitHub supply chain attack spills secrets from 23,000 projects (source)
- Supply chain attack on popular GitHub Action exposes CI/CD secrets (source)
- Hackers target AI and crypto as software supply chain risks grow (source)
- Google Acquires Wiz for $32 Billion in Its Biggest Deal Ever to Boost Cloud Security (source)