Researchers discover ‘dangerous functionality’ in Google Cloud control pane

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

Today, security researchers at cloud incident response provider Mitiga announced in a blog post they had discovered a “dangerous functionality” in Google Cloud’s control pane. 

The functionality enables an attacker to exploit the GCP platform to send data to and from a virtual machine, which an attacker could use to achieve command-and-control of a system or to stealthily exfiltrate data. 

In a typical attack scenario, an attacker could gain access to the GCP credentials with the necessary API permissions on one or more virtual machines, use lateral movement to install malware to the system via the GCP API, and send commands to the target machine by inserting them into the metadata, which the victim system will execute.

How much risk does the Google cloud control pane functionality have to enterprises? 

The official post warns that this functionality is common enough to warrant concern among enterprises, as attackers could use this as an entry point to intrude into an enterprise network and steal protected information. 

“The danger stems from the fact that someone with the right cloud credentials could still be accessing a machine. Traditionally, credentials for a system didn’t mean much unless you had some way to access the system. If a system was firewalled off from an adversary, there wasn’t much the adversary could do, regardless of whether they had credentials,” said Principal Consultant at Mitigata, Andrew Johnson.

“Cloud computing changes this dynamic: if you have appropriate cloud credentials, you could have access to the machine from anywhere, regardless of whether the system had firewalls or traditional network segmentation controls in place. Moreover, the cloud control pane is more feature-rich than many would expect, so access to these machines might not occur in the manner cybersecurity teams might be expecting,” John said.

However, while the weakness is common enough to warrant addressing, Johnson highlights that the risk of an attacker exploiting this vulnerability is minimal so long as enterprises guard cloud credentials effectively by following the principle of least privilege. 

The law of least privilege 

Organizations can protect against this GCP attack surface by ensuring that each credential is provisioned to have the least privilege necessary to do their job, to minimize the likelihood of an adversary gaining access to sensitive information. 

The post also recommends that organizations only allow remote access via approved remote administration methods such as SSH or RDP, while threat hunting for repeated uses of the getSerialPortOutput and setCustomMetadata commands that indicate an intrusion attempt. 

Taking these simple steps can drastically reduce the amount of information exposed to attackers and decrease the risk of a data breach. 

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.

Source: Read Full Article