gcp attacks gce Stealing a Compute Disk by sharing it

Stealing a Compute Disk by sharing it

PLATFORM

SERVICE

gce

DATA BREACHES

unknown

LAST UPDATED

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

low

high

About

An attacker who wants to access data from a Compute Disk can share it outside of your Google Cloud organization.

Understanding Impact

Business Impact

Virtual disks typically contain business sensitive data. Detecting if they are shared with unauthorized actors is important to identify potential data leaks early.

Technical Impact

After an attacker shares a Compute Disk with their own Google Cloud project, they can snapshot the disk in their environment to access the data, using:

gcloud compute snapshots create stolen-snapshot \
  --source-disk https://www.googleapis.com/compute/v1/projects/<victim-project>/zones/<zone>/disks/<victim-disk>

Detection

You can identify when a Compute Disk is shared using the GCP Admin Activity audit logs event v1.compute.disks.setIamPolicy.
After it is shared, you can identify when an attacker takes a cross-project snapshot by looking at v1.compute.snapshots.insert.

Sample events are reproduced below, shortened for clarity.

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "user-sharing-the-disk@domain.tld",
      "principalSubject": "user:user-sharing-the-disk@domain.tld"
    },
    "requestMetadata": {
      "callerIp": "34.33.32.31",
      "callerSuppliedUserAgent": "google-cloud-sdk gcloud/..."
    },
    "resourceName": "projects/victim-project/zones/us-central1-a/disks/stratus-red-team-victim-disk",
    "request": {
      "policy": {
        "version": "3",
        "bindings": [
          {
            "role": "roles/owner",
            "members": [
              "user:attacker@gmail.com"
            ]
          }
        ]
      },
      "@type": "type.googleapis.com/compute.disks.setIamPolicy"
    }
  }
}

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "attacker@gmail.com",
      "principalSubject": "user:attacker@gmail.com"
    },
    "requestMetadata": {
      "callerSuppliedUserAgent": "google-cloud-sdk gcloud/...",
      // Note: the IP of the attacker is not logged in this event
    },
    "serviceName": "compute.googleapis.com",
    "methodName": "v1.compute.snapshots.insert",
    "resourceName": "projects/victim-project/zones/us-central1-a/disks/stratus-red-team-victim-disk",
    "request": {
      "@type": "type.googleapis.com/compute.snapshots.insert"
    },
    "metadata": {
      "@type": "type.googleapis.com/google.cloud.audit.CrossEntityControlAuditMetadata"
    }
  }
}

Reproduce the attack

You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:

stratus detonate gcp.exfiltration.share-compute-disk

See also the related documentation.

References

Stratus Red Team - Exfiltrate Compute Disk by sharing it

stratus-red-team.cloud

Sharing snapshots and disks across organizations

gcp documentation

Did you find this article helpful?

work with us

We're always looking for talented people to collaborate with

featured positions

We have 10 positions

view all