GCP Virtual Private Cloud Route Creation for Defense Evasion
The creation of a virtual private cloud (VPC) route in Google Cloud Platform (GCP) can indicate an adversary attempting to impact the flow of network traffic for defense evasion.
This threat brief addresses the potential for attackers to create or modify Virtual Private Cloud (VPC) routes within Google Cloud Platform (GCP) environments. Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations, either inside a Google VPC network or outside it. By creating malicious routes, an attacker can reroute or intercept traffic, potentially disrupting network communications or eavesdropping on sensitive data. This activity is often performed to impair defenses or gain unauthorized access to resources. This brief focuses on detecting the creation of new routes within GCP, specifically monitored through audit logs.
Attack Chain
- Initial Access: The attacker gains access to a GCP account, possibly through compromised credentials or exploiting a misconfigured IAM role.
- Privilege Escalation (If Necessary): The attacker attempts to elevate their privileges within the GCP environment to gain the necessary permissions to modify network configurations.
- Discovery: The attacker enumerates existing VPC routes to understand the current network topology.
- Route Creation: The attacker creates a new VPC route using the
gcloudcommand-line tool or the GCP console, targeting a specific subnet or IP range. The attacker crafts a route that redirects traffic to a malicious destination. The audit logs record the event withevent.action: v*.compute.routes.insertorbeta.compute.routes.insert. - Traffic Redirection: Network traffic matching the new route's destination is now redirected to the attacker-controlled destination.
- Data Interception/Manipulation: The attacker intercepts the redirected traffic, potentially exfiltrating sensitive data or manipulating the traffic before forwarding it to its original destination.
- Defense Evasion: By rerouting network traffic, the attacker can bypass security controls or monitoring systems, making their activities more difficult to detect.
Impact
Successful exploitation can lead to unauthorized access to sensitive data, disruption of critical services, and potential data breaches. While the severity is low at initial route creation, the impact escalates significantly if the route is used for malicious purposes like data exfiltration or man-in-the-middle attacks. The number of affected VMs depends on the scope of the created route (e.g., a specific subnet or the entire VPC). Organizations in any sector utilizing GCP VPCs are potentially at risk.
Recommendation
- Deploy the Sigma rule
GCP VPC Route Creationto your SIEM to detect suspicious route creation activities based ondata_stream.dataset:gcp.auditandevent.action. - Review IAM permissions and roles to ensure that only authorized personnel have the ability to create or modify VPC routes. Focus on service accounts with excessive permissions.
- Investigate any alerts generated by the Sigma rule, correlating them with other security events or unusual network activity to identify potential malicious intent.
- Enable and regularly review VPC Flow Logs to monitor network traffic patterns and detect any unauthorized redirection.
Detection coverage 2
GCP VPC Route Creation
lowDetects the creation of a new VPC route in Google Cloud Platform (GCP).
GCP VPC Beta Route Creation
lowDetects the creation of a new VPC route in Google Cloud Platform (GCP) using beta API.
Detection queries are available on the platform. Get full rules →