Skip to content
Threat Feed
high advisory

GCP Account Compromise via Single-Factor Authentication

Detection of successful single-factor authentication against Google Cloud Platform (GCP) for an account without Multi-Factor Authentication (MFA) enabled, potentially leading to account compromise and unauthorized access to GCP resources.

This analytic detects successful single-factor authentication attempts against Google Cloud Platform (GCP) accounts where multi-factor authentication (MFA) is not enabled. This detection is based on Google Workspace login event data and identifies instances where MFA is not utilized during account login. The lack of MFA can stem from misconfigurations, policy violations, or successful credential compromise. The successful exploitation of this gap by an attacker can provide initial access to GCP resources, potentially leading to data breaches, service disruptions, or further lateral movement within the cloud environment. This activity should be investigated promptly to ensure appropriate security policies are enforced and potentially compromised accounts are remediated.

Attack Chain

  1. Credential Compromise: An attacker obtains valid credentials through phishing, credential stuffing, or purchasing leaked credentials.
  2. Initial Access: The attacker uses the compromised credentials to attempt login to a Google Workspace account associated with a GCP tenant.
  3. Single-Factor Authentication: The attacker successfully authenticates using only a username and password because MFA is not enabled or enforced for the target account.
  4. GCP Access: Upon successful authentication, the attacker gains access to the Google Cloud Platform (GCP) resources associated with the compromised account.
  5. Privilege Escalation (Optional): Depending on the compromised account's permissions, the attacker may attempt to escalate privileges within the GCP environment.
  6. Lateral Movement (Optional): The attacker uses the initial access to move laterally within the GCP environment, accessing other resources and accounts.
  7. Data Exfiltration / Service Disruption: The attacker exfiltrates sensitive data from GCP storage or disrupts critical services within the GCP environment.
  8. Persistence (Optional): The attacker establishes persistence mechanisms to maintain access to the GCP environment, such as creating new accounts or modifying existing roles.

Impact

Successful exploitation of single-factor authentication vulnerabilities can result in significant damage, including data breaches, service disruptions, and financial losses. The impact can range from a few affected accounts to complete compromise of a GCP environment depending on access levels. The Forbes article referenced indicates billions of stolen logins are available, meaning credential compromise is a likely initial vector. Organizations in all sectors are at risk, particularly those with lax MFA enforcement policies.

Recommendation

  • Deploy the Sigma rule GCP Successful Single-Factor Authentication to your SIEM and tune for your environment to detect logins without MFA based on Google Workspace logs.
  • Investigate any alerts generated by the GCP Successful Single-Factor Authentication rule, prioritizing accounts with elevated privileges or access to sensitive data.
  • Enforce multi-factor authentication (MFA) for all Google Workspace accounts, especially those with access to GCP resources, as per Google's recommendations in the references.
  • Regularly audit Google Workspace and GCP configurations to ensure that MFA policies are properly configured and enforced.
  • Use the drilldown searches included in this brief to investigate users triggering the initial detection.

Detection coverage 2

GCP Successful Single-Factor Authentication

high

Detects successful logins to GCP accounts without MFA based on Google Workspace logs.

sigma tactics: credential_access techniques: T1078.004 sources: webserver, linux

GCP Successful Single-Factor Authentication - User Agent Filter

medium

Detects successful logins to GCP accounts without MFA while filtering out common legitimate user agents.

sigma tactics: credential_access techniques: T1078.004 sources: webserver, linux

Detection queries are available on the platform. Get full rules →