Misconfiguration of the Google Cloud Platform API could create exploitable behavior leading to service compromise. Ensuring the integrity of credential storage and enforcing a strict Google Cloud account management policy are critical.
Strange and potentially dangerous behavior within Google Cloud Platform (GCP) was revealed Thursday by cloud security firm Mitiga. If GCP is not configured correctly, it could be exploited by attackers to engage in malicious activity in a user’s cloud environment, according to a blog post on the Israeli company’s website.
The behavior is tied to one of the APIs used by Google Cloud. The API allows users to retrieve data from serial ports. Only here, by creating a virtual machine in the cloud, data could also be written continuously on the ports. Also, because of how Google Cloud categorizes this traffic, administrators don’t have much visibility into it. If an attacker exploited this behavior, his constant calls to ports could give him a hint, Mitiga says, but the malicious activity is likely to be missed by developers unfamiliar with the specifics of the attack. APIs.
Attackers can get command and control abilities
Another quirk of Google Cloud, noticed by Mitiga, is the way it allows users to edit metadata at runtime. Other cloud providers also give users this power, but only when a virtual machine is shut down. Google’s virtual machines allow users to define custom metadata tags with custom values and, by default, read those values from a metadata server. Coupled with the serial port read function, Mitiga said a full feedback loop is created that can give attackers command and control capabilities.
The company also illustrated how malware could use the API to gain full administrative access to a system. By using a command to configure a virtual machine to use user data when the VM starts, attackers can write a script to load at runtime and take control of a system.
5 attack scenarios considered
Mitiga presented five attack scenarios stemming from his findings. In the first, an attacker can access Google Cloud credentials with the appropriate API permissions for setMetadata and getSerialPortOutput on one or more VMs. In the second scenario, using traditional network-based lateral movement methods, the attacker can install malware on the system that communicates using the cloud API.
A third possibility is that the attacker can send commands to the victim machine by inserting them into the custom metadata using a predetermined key. A fourth scenario would be this: the victim system can continuously read the key looking for commands and when it finds one, the command is executed and the output is sent to a predetermined serial port. Finally, the last scenario is the following: the adversary continuously reads the serial port and waits to receive the output of the command.
A secret way to maintain access to compromised systems
Andrew Johnston, the principal Mitiga consultant who wrote the blog, downplayed the threat risky API behavior poses to organizations. “As long as you follow all other security guidelines — credentials are stored correctly, accounts only have the permissions they need — there’s no real threat here,” he says. . “The problem is that these things are easier said than done. If an attacker gains access to a Google Cloud account with the appropriate permissions, they could use this attack vector to gain access to systems.” “The impact of this situation is that it is a covert way to maintain access to a compromised system,” adds Andrew Johnston. “It’s not something that would set off alarm bells in a standard SOC environment.”
Although Mitiga did not find the ABI behavior exploited in the wild, the consultant explains that it is important to pass the information on to the Google Cloud community. “High-level attackers are well aware of a number of attack vectors that aren’t available to the general public,” he says. “The best way to disarm such groups is to identify these techniques and publicize them, because when organizations are aware, they can improve their preparedness for breaches.”