Experts Reveal Google Cloud Platform’s Blind Spot for Data Exfiltration Attacks

March 06, 2023Rabbi LakshmananCloud Computing / Data Security

Malicious attackers can leverage “poor” forensic visibility into Google Cloud Platform (GCP) to exfiltrate sensitive data, new research reveals.

“Unfortunately, GCP does not provide the necessary level of visibility into storage logs to enable effective forensic investigations, leaving organizations unaware of potential data exfiltration attacks.” Mitiga, a cloud incident response firm, said in a report.

This attack is based on the assumption that the attacker has control over the target organization’s identity and access management (IAM) entities through methods such as social engineering and has access to the GCP environment.

The crux of the problem is that GCP’s storage access logs do not provide adequate transparency regarding potential file access and read events, instead grouping them all together as a single “object get” activity.

“The same event is used for different types of access, such as reading files, downloading files, and copying files to external servers. [and] It’s reading the file’s metadata,” said Mitiga researcher Veronica Marinov.

This lack of distinction is primarily due to the lack of a way to distinguish between malicious and legitimate user activity, allowing attackers to collect sensitive data without being detected.

In a hypothetical attack, an attacker could use Google’s command line interface (gsutil) to transfer valuable data from the victim’s organization’s storage bucket to an external storage bucket within the attacker’s organization.

Since then, Google has provided mitigation recommendations ranging from Virtual Private Cloud (VPC) Service Controls to restricting cloud resource requests using organization limit headers.

This disclosure was made when Sysdig discovered a sophisticated attack campaign called SCARLETEEL. It targets containerized environments to perform its own data and software theft.