Researchers discover ‘potentially dangerous functionality’ in Google Cloud control pane

Today, security researchers at cloud incident response provider Mitiga announced in a blog post they had discovered a “potentially dangerous functionality” in Google Cloud Platform (GCP)’s control pane. 

The functionality enables an attacker to potentially exploit GCP to send data to and from a virtual machine, which an attacker could use to achieve command-and-control of a system or to stealthily exfiltrate data. 

In a typical attack scenario, an attacker could gain access to the GCP credentials with the necessary API permissions on one or more virtual machines, use lateral movement to install malware to the system via the GCP API and send commands to the target machine by inserting them into the metadata — which the victim system would then execute.

The risks of the Google Cloud control pane functionality

The official post warns that this functionality is common enough to warrant concern among enterprises, as attackers could use this as an entry point to intrude into an enterprise network and steal protected information. 

“The danger stems from the fact that someone with the right cloud credentials could still be accessing a machine. Traditionally, credentials for a system didn’t mean much unless you had some way to access the system. If a system was firewalled off from an adversary, there wasn’t much the adversary could do, regardless of whether they had credentials,” said Andrew Johnston, principal consultant at Mitiga.

“Cloud computing changes this dynamic: if you have appropriate cloud credentials, you could have access to the machine from anywhere, regardless of whether the system had firewalls or traditional network segmentation controls in place. Moreover, the cloud control pane is more feature-rich than many would expect, so access to these machines might not occur in the manner cybersecurity teams might be expecting,” Johnston said.

However, while the weakness is common enough to warrant addressing, Johnston highlights that the risk of an attacker exploiting this vulnerability is minimal so long as enterprises guard cloud credentials effectively by following the principle of the least privilege. 

The law of the least privilege 

Organizations can protect against this GCP attack surface by ensuring that each credential is provisioned to have the least privilege necessary to do their job, to minimize the likelihood of an adversary gaining access to sensitive information. 

The post also recommends that organizations only allow remote access via approved remote administration methods such as SSH or RDP, while threat hunting for repeated uses of commands like ‘getSerialPortOutput’ and ‘setCustomMetadata’ that indicate an intrusion attempt. 

Taking these simple steps can drastically reduce the amount of information exposed to attackers and decrease the risk of a data breach.