Google Cloud may have some concerning security flaws that could allow threat actors to exfiltrate data from the cloud storage platform without being spotted.
The findings come courtesy of cybersecurity researchers Mitiga, which found Google Cloud Platform (GCP)’s logs, which are usually used to identify attacks and understand what threat actors have been able to achieve, are subpar, leaving much to be desired.
At their current state, they don’t provide the level of visibility to allow for “any effective forensic investigation”, the researchers said, concluding that the organizations using GCP are “blind” to potential data exfiltration attacks.
Blind to attacks
However Google has not classified the findings as a vulnerability, so no patch has been released – although it has published a list of mitigations users can deploy if they fear their current configuration brings risks.
Consequently, businesses can’t effectively respond to incidents, and have no way to precisely determine what data was stolen in an attack.
Usually, an attacker will gain control over an Identity and Access Management (IAM) entity, grant it the required permissions, and use it to copy sensitive data. As GCP doesn’t provide the necessary transparency regarding permissions granted, businesses will have a really hard time monitoring data access and potential data theft, the researchers concluded.
While Google does offer its customers the ability to turn on storage access logs, the feature is turned off by default. By turning it on, organizations could be better at detecting and responding to attacks, but the feature might cost extra to be used. Even if it’s turned on, the system is “insufficient” and creates “forensic visibility gaps”, the researchers added, saying that the system chooses to group “a wide range of potential file access and read activities under a single type of event — ‘Object Get.’”
This is a problem because the same event is used for reading a file, downloading it, or even just reading the file’s metadata.
Responding to Mitiga’s findings, Google said it appreciates Mitiga’s feedback but doesn’t consider it a vulnerability. Instead, the company provided mitigation recommendations, which include the use of VPC Service Controls, organization restriction headers, as well as restricted access to storage resources.
- Keep your devices secure with the best malware protection out there
