<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Google Cloud Storage - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/google-cloud-storage/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 29 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/google-cloud-storage/feed.xml" rel="self" type="application/rss+xml"/><item><title>GCP Storage Bucket Deletion for Impact</title><link>https://feed.craftedsignal.io/briefs/2024-01-gcp-bucket-delete/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-gcp-bucket-delete/</guid><description>An adversary may delete a Google Cloud Platform (GCP) storage bucket to disrupt business operations, detected via GCP audit logs.</description><content:encoded><![CDATA[<p>This threat brief focuses on the malicious deletion of Google Cloud Platform (GCP) storage buckets. Threat actors may target these buckets to disrupt business operations by removing critical data. The detection rule monitors GCP audit logs for bucket deletion events. This activity can lead to significant data loss and service disruption, impacting an organization's ability to function normally. The alert is triggered by the <code>storage.buckets.delete</code> event action within the GCP audit logs. Successful exploitation of this technique could result in prolonged downtime and financial losses.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains unauthorized access to the target's GCP environment, potentially through compromised credentials or a misconfigured IAM role.</li>
<li>The attacker enumerates existing storage buckets within the GCP project to identify targets for deletion.</li>
<li>The attacker uses the <code>gcloud storage buckets delete</code> command or the GCP console to initiate the deletion of a specific storage bucket.</li>
<li>GCP logs the <code>storage.buckets.delete</code> event in the audit logs, capturing details such as the user account, IP address, and timestamp of the deletion.</li>
<li>The targeted storage bucket and its contents are permanently removed from the GCP environment.</li>
<li>The victim organization experiences data loss and potential service disruption due to the unavailability of the deleted data.</li>
<li>The attacker may repeat this process to delete multiple storage buckets, exacerbating the impact and hindering recovery efforts.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of GCP storage buckets can lead to significant data loss and operational disruption. The impact can range from temporary service outages to permanent data loss, depending on the backup and recovery strategies in place. Industries heavily reliant on cloud storage, such as e-commerce, financial services, and healthcare, are particularly vulnerable. The cost of recovery can be substantial, including expenses related to data restoration, incident response, and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>GCP Storage Bucket Deletion</code> to your SIEM to detect unauthorized bucket deletions.</li>
<li>Review IAM policies and enforce the principle of least privilege to limit the potential impact of compromised credentials.</li>
<li>Enable versioning on critical storage buckets to facilitate recovery from accidental or malicious deletions (reference: [https://cloud.google.com/storage/docs/key-terms#buckets]).</li>
<li>Set up alerts for any future deletion actions on storage buckets to ensure immediate awareness and response to similar threats.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the user account, IP address, and timestamp associated with the deletion event.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>gcp</category><category>impact</category></item><item><title>GCP Storage Bucket Configuration Modification</title><link>https://feed.craftedsignal.io/briefs/2024-01-gcp-bucket-mod/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-gcp-bucket-mod/</guid><description>This rule detects modifications to Google Cloud Platform (GCP) storage bucket configurations, potentially indicating an adversary attempting to weaken security controls for unauthorized access or data exfiltration.</description><content:encoded><![CDATA[<p>This detection rule identifies modifications to Google Cloud Platform (GCP) storage bucket configurations. Attackers may alter these configurations to weaken security controls, enabling unauthorized access or data exfiltration. The rule focuses on identifying successful configuration changes via audit logs. It is essential for defenders to monitor these changes because misconfigured storage buckets can lead to data breaches, compliance violations, and reputational damage. The rule leverages GCP audit logs to detect <code>storage.buckets.update</code> events, indicating a change in bucket configuration. The rule was initially created in 2020 and updated in April 2026.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a GCP account, possibly through compromised credentials or a misconfigured IAM role.</li>
<li>The attacker enumerates existing storage buckets to identify potential targets.</li>
<li>The attacker attempts to modify the configuration of a target storage bucket using the <code>storage.buckets.update</code> API.</li>
<li>Specifically, the attacker may attempt to modify the bucket's access control list (ACL) to grant unauthorized access.</li>
<li>Alternatively, the attacker may disable versioning or logging to cover their tracks and prevent detection.</li>
<li>If successful, the attacker gains unauthorized access to the storage bucket's contents.</li>
<li>The attacker exfiltrates sensitive data from the bucket.</li>
<li>The attacker attempts to delete or further modify the bucket to disrupt operations or cover their tracks.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to unauthorized access to sensitive data stored in GCP storage buckets. This can result in data breaches, compliance violations, and reputational damage. The number of affected buckets and the severity of the impact depend on the attacker's objectives and the sensitivity of the data stored in the targeted buckets. Depending on the data stored within a compromised bucket, an organization can face regulatory fines, legal action, and loss of customer trust.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;GCP Storage Bucket Configuration Modification&quot; to your SIEM, ensuring you are ingesting GCP audit logs (filebeat-* or logs-gcp*) as defined in the rule [index].</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the user or service account responsible for the configuration change [rule].</li>
<li>Review the bucket's configuration for any unexpected or unauthorized changes to access controls, versioning, or logging [rule].</li>
<li>Implement strict IAM policies and regularly audit access controls to minimize the risk of unauthorized access [rule].</li>
<li>Correlate alerts with other security events to identify potential patterns of malicious behavior [rule].</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>gcp</category><category>defense_evasion</category></item></channel></rss>