Experts Reveal Google Cloud Platform’s Blind Spot for Data Exfiltration Attacks
Malicious actors can take advantage of “insufficient” forensic visibility into Google Cloud Platform (GCP) to exfiltrate sensitive data, a new research has found.
“Unfortunately, GCP does not provide the level of visibility in its storage logs that is needed to allow any effective forensic investigation, making organizations blind to potential data exfiltration attacks,” cloud incident response firm Mitiga said in a report.
The attack banks on the prerequisite that the adversary is able to gain control of an identity and access management (IAM) entity in the targeted organization by methods like social engineering to access the GCP environment.
The crux of the problem is that GCP’s storage access logs do not provide adequate transparency with regards to potential file access and read events, instead grouping them all as a single “Object Get” activity.
“The same event is used for a wide variety of types of access, including: Reading a file, downloading a file, copying a file to an external server, [and] reading the metadata of the file,” Mitiga researcher Veronica Marinov said.
This lack of distinction could enable an attacker to harvest sensitive data without being detected, mainly because there is no way to differentiate between malicious and legitimate user activity.
In a hypothetical attack, a threat actor can use Google’s command line interface (gsutil) to transfer valuable data from the victim organization’s storage buckets to an external storage bucket within the attacker organization.
Ready to bust the 9 most dangerous myths about file-based attacks? Join our upcoming webinar and become a hero in the fight against patient zero infections and zero-day security events!
RESERVE YOUR SEATGoogle has since provided mitigation recommendations, which range from Virtual Private Cloud (VPC) Service Controls to using organization restriction headers to limit cloud resource requests.
The disclosure comes as Sysdig unearthed a sophisticated attack campaign dubbed SCARLETEEL that’s targeting containerized environments to perpetrate theft of proprietary data and software.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon using the button below
To keep up to date follow us on the below channels.