{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/google-cloud-vpc/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Google Cloud Platform","Google Cloud VPC","Google App Engine"],"_cs_severities":["medium"],"_cs_tags":["cloud","defense-evasion","gcp"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis detection identifies when a firewall rule is deleted in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. Firewall rules are critical for controlling network traffic to and from virtual machine (VM) instances or specific applications. An adversary may delete a firewall rule to weaken a target's security controls, facilitating unauthorized access or data exfiltration. This behavior can be indicative of a defense evasion attempt. The deletion events are captured in audit logs within GCP, which are then monitored for specific actions related to firewall rule deletion in either VPC or App Engine environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a GCP account, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing firewall rules within the VPC or App Engine environment to identify potential targets for deletion.\u003c/li\u003e\n\u003cli\u003eUsing compromised credentials or a service account, the attacker initiates the deletion of a specific firewall rule. The \u003ccode\u003egcloud\u003c/code\u003e CLI or GCP console could be used.\u003c/li\u003e\n\u003cli\u003eThe firewall rule is removed, altering the network access control configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified firewall configuration to establish unauthorized connections to internal resources.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the GCP environment, accessing sensitive data or systems previously protected by the deleted firewall rule.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates data or performs other malicious activities, taking advantage of the weakened security posture.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of GCP firewall rules can lead to significant security breaches, including unauthorized access to sensitive data, lateral movement within the cloud environment, and potential data exfiltration. The impact is highly dependent on the scope and purpose of the deleted firewall rule. This activity allows attackers to bypass intended security controls.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGCP Firewall Rule Deletion\u003c/code\u003e to your SIEM to detect unauthorized firewall deletions based on \u003ccode\u003edata_stream.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable GCP audit logging to ensure that all firewall rule deletion events are captured for analysis.\u003c/li\u003e\n\u003cli\u003eReview and update access controls and permissions for users and service accounts to minimize the risk of unauthorized firewall rule modifications.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and alerting for firewall rule changes to detect and respond to similar threats more quickly in the future, based on \u003ccode\u003eevent.action\u003c/code\u003e logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-gcp-firewall-deletion/","summary":"The deletion of firewall rules in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine is detected, potentially weakening security controls and enabling unauthorized access or data exfiltration by adversaries.","title":"GCP Firewall Rule Deletion for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-gcp-firewall-deletion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Google Cloud Platform","Google Cloud VPC","Google App Engine"],"_cs_severities":["low"],"_cs_tags":["gcp","firewall","defense_evasion"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis detection identifies the creation of firewall rules within Google Cloud Platform (GCP), specifically targeting Virtual Private Cloud (VPC) and App Engine environments. While firewall rules are legitimate components of network security, adversaries can exploit them to weaken existing defenses. By creating overly permissive rules, attackers can bypass security controls and establish unauthorized ingress or egress traffic flows. The focus is on detecting unexpected or suspicious firewall rule creation events that could indicate malicious activity. The original Elastic detection rule \u003ccode\u003e30562697-9859-4ae0-a8c5-dab45d664170\u003c/code\u003e published in 2020 and updated in 2026, helps security teams audit configuration changes and identify potential defense evasion attempts within their GCP environments. The scope includes both VPC and App Engine firewall configurations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a GCP account, potentially through compromised credentials or exploiting a misconfigured service account.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing firewall rules and network configurations to identify potential weaknesses.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a new firewall rule designed to allow unauthorized traffic, such as opening specific ports or IP ranges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003egcloud\u003c/code\u003e command-line tool or the GCP console to create the new firewall rule, targeting either VPC or App Engine.\u003c/li\u003e\n\u003cli\u003eThe newly created firewall rule is activated, effectively modifying the network's security posture.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the permissive firewall rule to establish a command and control (C2) channel or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the open port(s) to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective (data exfiltration, system compromise, etc.)\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, compromised systems, and potential data breaches. The low severity acknowledges that legitimate firewall rule changes occur regularly, but highlights the need to monitor and validate these changes to detect malicious activity. If successful, attackers can bypass existing security controls and potentially gain complete control of affected systems and applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGCP Firewall Rule Creation\u003c/code\u003e to your SIEM to detect suspicious firewall rule creations in your GCP environment. Tune the rule based on your organization's baseline activity and known service accounts.\u003c/li\u003e\n\u003cli\u003eReview the audit logs for \u003ccode\u003eevent.dataset:gcp.audit\u003c/code\u003e entries, specifically focusing on the \u003ccode\u003eevent.action\u003c/code\u003e fields: \u003ccode\u003e*.compute.firewalls.insert\u003c/code\u003e or \u003ccode\u003egoogle.appengine.*.Firewall.Create*Rule\u003c/code\u003e to validate the source of firewall rule changes.\u003c/li\u003e\n\u003cli\u003eImplement role-based access control (RBAC) to limit the ability to create or modify firewall rules to only authorized personnel, mitigating the risk of compromised accounts creating malicious rules.\u003c/li\u003e\n\u003cli\u003eEstablish a baseline of expected firewall rules and configurations to quickly identify deviations that could indicate malicious activity, using the provided references about GCP firewalls.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-gcp-firewall-rule-creation/","summary":"An adversary may create a new firewall rule in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit, indicating a defense evasion attempt.","title":"GCP Firewall Rule Creation for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-02-gcp-firewall-rule-creation/"}],"language":"en","title":"CraftedSignal Threat Feed - Google Cloud VPC","version":"https://jsonfeed.org/version/1.1"}