A flaw in Google Cloud Platform’s basic storage logs allows attackers to exfiltrate enterprise data from GCP storage bins without leaving any forensic traces of malicious activity, according to cybersecurity firm Mitiga.
Researchers at cybersecurity firm Mitiga recently discovered a flaw in the Google Cloud Platform’s (GCP) basic storage logs that allows attackers to exfiltrate enterprise data from GCP storage bins without leaving forensic traces of malicious activity. According to the researchers, the issue arises because GCP’s basic storage logs, which are not enabled by default, use the same description/event (objects.get) for different types of access such as reading a file, downloading a file, copying a file to an external server or bucket, and reading the file/object metadata.
In normal usage, files (or objects) inside storage objects are read multiple times a day as part of an organization’s daily activity, and this can lead to thousands or millions of read events. The inability to identify specific attack patterns, such as downloading or copying data to an external bucket, makes it challenging for organizations to determine if and what information has been stolen.
Veronica Marinov, Head of Cloud Incident Response at Mitiga, highlighted a possible attack scenario, which involves the threat actor gaining control over an employee’s GCP user account belonging to the targeted organization and then granting that account permission to copy data to the attacker’s GCP organization by entering a simple command into Google’s command line.
Mitiga and Google’s security team do not consider the problem a vulnerability, but rather a “security deficiency.”
Marinov suggested a list of steps that organizations can take to mitigate and detect this attack. These steps include defining, through VPC Service Controls, a service perimeter around the resources of Google-managed services to control communication between those services and using organization restriction headers to restrict cloud resource requests made from their environments.
In the absence of VPC Service Controls and Organization restriction headers, Marinov suggested looking for anomalies such as the times of the Get/List events, the IAM entity performing the Get/List events, the IP address the Get/List requests originate from, and the volume of Get/List events within brief time periods originating from a single entity.
Google recommends that its customers use VPC Service Controls and set up organizational restrictions on Google Cloud Storage buckets to protect against exfiltration. By properly configuring cloud audit logs, customers can be confident that their data is secure. Google stated that while log forensics has not been a concern raised by customers, they are constantly evaluating ways to enhance customers’ perception of their storage.
It is unclear why Google does not differentiate between different types of access in the logs when AWS does. However, Google Cloud Spokesperson confirmed that the recently reported issue of insufficient audit logging within Google Cloud Storage poses no exfiltration risk and is not a vulnerability.
