Experts Reveal Google Cloud Platform’s Blind Spot for Data Exfiltration Attacks

Mar 06, 2023Ravie LakshmananCloud Computing / Data Safety

Malicious actors can take advantage of “insufficient” forensic
visibility into Google Cloud Platform (GCP) to exfiltrate sensitive
data, a new research has found.

“Unfortunately, GCP does not provide the level of visibility in
its storage logs that is needed to allow any effective forensic
investigation, making organizations blind to potential data
exfiltration attacks,” cloud incident response firm Mitiga said ^[1]
in a report.

The attack banks on the prerequisite that the adversary is able
to gain control of an identity and access management (IAM) entity
in the targeted organization by methods like social engineering to
access the GCP environment.

The crux of the problem is that GCP’s storage access logs ^[2]
do not provide adequate transparency with regards to potential file
access and read events, instead grouping them all as a single
“Object Get” activity.

“The same event is used for a wide variety of types of access,
including: Reading a file, downloading a file, copying a file to an
external server, [and] reading the metadata of the file,” Mitiga
researcher Veronica Marinov said.

This lack of distinction could enable an attacker to harvest
sensitive data without being detected, mainly because there is no
way to differentiate between malicious and legitimate user
activity.

In a hypothetical attack ^[3], a threat actor can use
Google’s command line interface (gsutil ^[4]) to transfer valuable
data from the victim organization’s storage buckets to an external
storage bucket within the attacker organization.

Discover the Latest Malware Evasion Tactics and Prevention
Strategies

Ready to bust the 9 most dangerous myths about file-based
attacks? Join our upcoming webinar and become a hero in the fight
against patient zero infections and zero-day security events!

RESERVE YOUR
SEAT ^[5]

Google has since provided mitigation recommendations, which
range from Virtual Private Cloud (VPC ^[6]) Service Controls to
using organization restriction headers ^[7] to restrict cloud
resource requests.

The disclosure comes as Sysdig unearthed a sophisticated attack
campaign dubbed SCARLETEEL ^[8]
that’s targeting containerized environments to perpetrate theft of
proprietary data and software.

Found this article interesting? Follow us on Twitter ^[9]
and LinkedIn ^[10] to read more exclusive
content we post.

References

^{^}
said
(www.mitiga.io)
^{^}
storage
access logs (cloud.google.com)
^{^}
hypothetical attack
(www.mitiga.io)
^{^}
gsutil
(cloud.google.com)
^{^}
RESERVE YOUR SEAT
(thn.news)
^{^}
VPC
(cloud.google.com)
^{^}
organization restriction headers
(cloud.google.com)
^{^}
SCARLETEEL
(thehackernews.com)
^{^}
Twitter
 (twitter.com)
^{^}
LinkedIn
(www.linkedin.com)