Google Cybersecurity Action Team Threat Horizons Report #6 Is Out!

Anton Chuvakin

·

Follow

Published in

Anton on Security

·

4 min read

·

Apr 13, 2023

--

Listen

Share

This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our sixth Threat Horizons Report (full version) that we just released (the official blog for #1 report, my unofficial blogs for #2, #3, #4 and #5).

My favorite quotes from the report follow below:

• “Our research has shown that the most common vector used to compromise any network, including cloud instances is to take over an account’s credentials directly: either because there is no password, as with some default configurations, or because a credential has been leaked or recycled or is generally so weak as to be guessable.” [A.C. — make all the jokes about it being ‘so 1980s’ but this is the reality today. Jokes won’t help change practices across the organizations!]

• “because of the security of the GCP platform most compromises in the cloud are simply from lack of passwords, poor password strength, reused and leaked credentials, or straightforwardly misconfigured software” [A.C. — this makes shared fate such a HUGE need, to be sure; and, yes, this means that we have work to do in this area]
• Specifically, “Weak passwords accounted for nearly half of observed incidents in the fourth quarter of 2022”
• Also, “the rise in API compromise in Q3 maintained course, being a factor in nearly 1/5th of incidents” [A.C. admittedly this is more interesting than ssh with no password, and a bit harder for a legacy security teams to comprehend, it seems]
• “Threat actors often use ransomware in the cloud to extort companies in a different manner than traditional on-premises environments, threatening to release or delete data rather than simply encrypt it.” [A.C. so, yes, ransomware in the cloud is a thing, and there is a twist; still, I hear that it is dramatically less common compared to on-premise]
• “Written in Go, the [malicious] tool gets commands from Google Sheets, likely to obfuscate the malicious activity, and exfiltrates data to Google Drive. After installation on the victim machine, the malware queries Google Sheets to obtain attacker commands. ” [A.C. See? You can have fun in the cloud! It is not just weak passwords and MySQL with no auth]
• “Google Kubernetes Engine (GKE) customers sometimes delay security patching their clusters, often from concern that patching might inadvertently interrupt production operations. […] GKE customers are concerned with tradeoffs between Kubernetes cluster availability and security patching.” [A.C. so I file this under ‘this should not happen yet it does; k8s and containers are better for security if done right; our report explains in detail how to do it without falling into this particular ditch]
• “Leaked, or inadvertently shared, service account credentials continue to be one of the leading factors of abuse on Google Cloud.” [A.C. a useful reminder to, well, not do that!]
• “One of the most common situations observed when keys are discovered leaked includes a developer downloading a service account key, which is a RSA private/public key pair that grants long-lived access, and checking code into a public code repository with the key hardcoded. ” [A.C. this practice seems slowly waning in popularity, but the only right time to do this is ‘never’]
• “In another instance, an attacker was able to breach two clouds with one service account key. The attacker scanned a public code repository and discovered a hard coded AWS service account key and using that credential they were able to gain access to a customer’s AWS instance which in turn hosted an internal code repository. Next the attacker was able to discover a hard coded Azure credential within the internally hosted code repository and use that key to gain access to the customer’s Azure environment.” [A.C. this is the ‘multi-cloudiest’ thing I’ve heard all week! :-)]
• The report also has a hugely valuable section on how to patch containers faster and safer, look for the section “Solutions for balancing availability and security patching within GKE“

Now, go and read the report!

Related posts:

• Google Cybersecurity Action Team Threat Horizons Report #5 Is Out!
• Google Cybersecurity Action Team Threat Horizons Report #4 Is Out!
• Google Cybersecurity Action Team Threat Horizons Report #3 Is Out!
• Google Cybersecurity Action Team Threat Horizons Report #2 Is Out!
• Illicit coin mining, ransomware, APTs target cloud users in first Google
• How we make these reports? “Threat Horizons — How Google Does Threat Intelligence” (ep112) podcast
• Cybersecurity Action Team Threat Horizons report
• All past and future reports are posted at Google Cybersecurity Action Team site.