Cybersecurity researchers at Mitiga have discovered a security gap in the Google Cloud Platform (GCP)
that enables threat actors to exfiltrate company data stored in GCP
storage buckets without an organization’s knowledge or consent.
The security gap is linked to GCP’s storage logs.
- The
Mitiga researchers highlighted that GCP’s storage logs fail to provide
a level of visibility that enables “any effective forensic
investigation,” thus leaving organizations using the platform unaware of
potential data exfiltration attempts.
- GCP’s
storage logs do not differentiate between different types of access,
and only label such attempts with the same description/event
(objects.get)
- According
to the researchers, Google does offer a setting that allows customers
to activate specific storage access logs, but these are turned off by
default and might cost extra.
- Google
responded to Mitiga’s findings and did not consider this a
vulnerability. Nonetheless, both companies have provided a list of steps
organizations can take to reduce risk and detect attacks. Google says
companies can leverage VPC Service Controls, organization restriction
headers, and restricted access settings to mitigate unwanted access.
