Google Cloud may have some security flaws that allow threat actors to exfiltrate data from cloud storage (opens in new tab) platform without being noticed.
The findings come from cybersecurity researchers Mitiga, who found that Google Cloud Platform (GCP) logs, which are typically used to identify attacks and understand what threat actors have achieved, are inadequate and leave a lot to be desired.
In their current state, they do not provide the level of visibility to enable “any effective forensic investigation,” the researchers said, concluding that the organizations using GCP are “blind” to potential data interception attacks.
Blind to attacks
However, Google has not classified the findings as a vulnerability, so no patch has been released – although it has published a list of actions users can take if they fear their current configuration is at risk.
As a result, companies cannot effectively respond to incidents and cannot determine exactly what data has been stolen in an attack.
Typically, an attacker takes control of an Identity and Access Management (IAM) entity, grants it the required permissions, and uses it to copy sensitive data. Since GCP does not provide the necessary transparency regarding permissions granted, companies will have a very difficult time controlling access to data and possible data theft, the researchers conclude.
While Google gives its customers the option to enable storage access logging, the feature is disabled by default. Enabling it helps organizations better detect and respond to attacks, but using the feature may cost extra. Even when enabled, the system is “inadequate” and creates “forensic visibility gaps,” the researchers added, saying the system chooses to “group a wide range of potential file access and read activities under one type of event —” Get object.’”
This is a problem because the same event is used to read a file, download it, or even just read the file’s metadata.
In response to Mitiga’s findings, Google said it appreciates Mitiga’s feedback, but does not consider it a vulnerability. Instead, the company recommended countermeasures, including the use of VPC Service Controls, Organization Restrictions headers, and restricted access to storage resources.