<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Google Cloud VPC - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/google-cloud-vpc/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/google-cloud-vpc/feed.xml" rel="self" type="application/rss+xml"/><item><title>GCP Firewall Rule Deletion for Defense Evasion</title><link>https://feed.craftedsignal.io/briefs/2024-01-gcp-firewall-deletion/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-gcp-firewall-deletion/</guid><description>The deletion of firewall rules in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine is detected, potentially weakening security controls and enabling unauthorized access or data exfiltration by adversaries.</description><content:encoded><![CDATA[<p>This detection identifies when a firewall rule is deleted in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. Firewall rules are critical for controlling network traffic to and from virtual machine (VM) instances or specific applications. An adversary may delete a firewall rule to weaken a target's security controls, facilitating unauthorized access or data exfiltration. This behavior can be indicative of a defense evasion attempt. The deletion events are captured in audit logs within GCP, which are then monitored for specific actions related to firewall rule deletion in either VPC or App Engine environments.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a GCP account, potentially through compromised credentials or exploiting a vulnerability.</li>
<li>The attacker enumerates existing firewall rules within the VPC or App Engine environment to identify potential targets for deletion.</li>
<li>Using compromised credentials or a service account, the attacker initiates the deletion of a specific firewall rule. The <code>gcloud</code> CLI or GCP console could be used.</li>
<li>The firewall rule is removed, altering the network access control configuration.</li>
<li>The attacker leverages the modified firewall configuration to establish unauthorized connections to internal resources.</li>
<li>The attacker moves laterally within the GCP environment, accessing sensitive data or systems previously protected by the deleted firewall rule.</li>
<li>The attacker exfiltrates data or performs other malicious activities, taking advantage of the weakened security posture.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of GCP firewall rules can lead to significant security breaches, including unauthorized access to sensitive data, lateral movement within the cloud environment, and potential data exfiltration. The impact is highly dependent on the scope and purpose of the deleted firewall rule. This activity allows attackers to bypass intended security controls.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>GCP Firewall Rule Deletion</code> to your SIEM to detect unauthorized firewall deletions based on <code>data_stream.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule)</code>.</li>
<li>Enable GCP audit logging to ensure that all firewall rule deletion events are captured for analysis.</li>
<li>Review and update access controls and permissions for users and service accounts to minimize the risk of unauthorized firewall rule modifications.</li>
<li>Implement enhanced monitoring and alerting for firewall rule changes to detect and respond to similar threats more quickly in the future, based on <code>event.action</code> logs.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>defense-evasion</category><category>gcp</category></item><item><title>GCP Firewall Rule Creation for Defense Evasion</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-gcp-firewall-rule-creation/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-gcp-firewall-rule-creation/</guid><description>An adversary may create a new firewall rule in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit, indicating a defense evasion attempt.</description><content:encoded><![CDATA[<p>This detection identifies the creation of firewall rules within Google Cloud Platform (GCP), specifically targeting Virtual Private Cloud (VPC) and App Engine environments. While firewall rules are legitimate components of network security, adversaries can exploit them to weaken existing defenses. By creating overly permissive rules, attackers can bypass security controls and establish unauthorized ingress or egress traffic flows. The focus is on detecting unexpected or suspicious firewall rule creation events that could indicate malicious activity. The original Elastic detection rule <code>30562697-9859-4ae0-a8c5-dab45d664170</code> published in 2020 and updated in 2026, helps security teams audit configuration changes and identify potential defense evasion attempts within their GCP environments. The scope includes both VPC and App Engine firewall configurations.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to a GCP account, potentially through compromised credentials or exploiting a misconfigured service account.</li>
<li>The attacker enumerates existing firewall rules and network configurations to identify potential weaknesses.</li>
<li>The attacker crafts a new firewall rule designed to allow unauthorized traffic, such as opening specific ports or IP ranges.</li>
<li>The attacker uses the <code>gcloud</code> command-line tool or the GCP console to create the new firewall rule, targeting either VPC or App Engine.</li>
<li>The newly created firewall rule is activated, effectively modifying the network's security posture.</li>
<li>The attacker leverages the permissive firewall rule to establish a command and control (C2) channel or exfiltrate sensitive data.</li>
<li>The attacker uses the open port(s) to move laterally within the network.</li>
<li>The attacker achieves their objective (data exfiltration, system compromise, etc.)</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to unauthorized access to sensitive data, compromised systems, and potential data breaches. The low severity acknowledges that legitimate firewall rule changes occur regularly, but highlights the need to monitor and validate these changes to detect malicious activity. If successful, attackers can bypass existing security controls and potentially gain complete control of affected systems and applications.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>GCP Firewall Rule Creation</code> to your SIEM to detect suspicious firewall rule creations in your GCP environment. Tune the rule based on your organization's baseline activity and known service accounts.</li>
<li>Review the audit logs for <code>event.dataset:gcp.audit</code> entries, specifically focusing on the <code>event.action</code> fields: <code>*.compute.firewalls.insert</code> or <code>google.appengine.*.Firewall.Create*Rule</code> to validate the source of firewall rule changes.</li>
<li>Implement role-based access control (RBAC) to limit the ability to create or modify firewall rules to only authorized personnel, mitigating the risk of compromised accounts creating malicious rules.</li>
<li>Establish a baseline of expected firewall rules and configurations to quickly identify deviations that could indicate malicious activity, using the provided references about GCP firewalls.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>gcp</category><category>firewall</category><category>defense_evasion</category></item></channel></rss>