{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/virtual-private-cloud/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Virtual Private Cloud"],"_cs_severities":["medium"],"_cs_tags":["gcp","vpc","route","defense-evasion","cloud"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis threat brief addresses the deletion of Virtual Private Cloud (VPC) routes within Google Cloud Platform (GCP) environments. VPC routes define network traffic paths between virtual machine (VM) instances and other destinations, both inside and outside the VPC network. An attacker may intentionally delete or modify these routes to disrupt network communications, potentially evading security controls or impairing critical services. This activity is often observed as part of a broader attack campaign, where adversaries attempt to weaken the security posture of the target environment. The Elastic detection rule \u0026quot;GCP Virtual Private Cloud Route Deletion\u0026quot;, updated on 2026/04/10, identifies these events by monitoring GCP audit logs for route deletion actions. Defenders should prioritize monitoring VPC route configurations and access logs to detect and respond to unauthorized modifications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to a GCP account with sufficient privileges to modify VPC configurations. This could be achieved through compromised credentials, privilege escalation, or exploiting misconfigured IAM roles.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing VPC routes to identify potential targets for disruption, using tools like \u003ccode\u003egcloud compute routes list\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker selects a critical VPC route that is essential for network communication between key services or network segments.\u003c/li\u003e\n\u003cli\u003eThe attacker deletes the selected VPC route using \u003ccode\u003egcloud compute routes delete [ROUTE_NAME]\u003c/code\u003e, causing a disruption in network traffic flow.\u003c/li\u003e\n\u003cli\u003eThe successful deletion of the route is logged in GCP audit logs.\u003c/li\u003e\n\u003cli\u003eNetwork services relying on the deleted route experience connectivity issues, leading to service degradation or failure.\u003c/li\u003e\n\u003cli\u003eThe attacker may repeat this process with other critical routes to further isolate network segments or prevent detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of VPC routes can lead to significant disruptions in network connectivity and service availability. Victims may experience degraded performance, application failures, or complete outages, depending on the criticality of the affected routes. The deletion of VPC routes can affect any organization utilizing GCP, especially those reliant on stable and predictable network traffic patterns. The risk score associated with this activity is 47.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect VPC route deletion events in GCP audit logs (logsource: \u003ccode\u003eservice: gcp\u003c/code\u003e and category: \u003ccode\u003eaudit\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview and harden IAM permissions to restrict access to VPC route management functions to authorized personnel only.\u003c/li\u003e\n\u003cli\u003eImplement automated monitoring and alerting for any changes to VPC route configurations.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the associated audit logs and identifying the user or service account responsible for the route deletion.\u003c/li\u003e\n\u003cli\u003eEstablish a process for quickly restoring deleted VPC routes from backups or configuration management tools.\u003c/li\u003e\n\u003cli\u003eImplement the recommendations in the provided investigation guide to analyze the context and impact of route deletion events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-gcp-vpc-route-deletion/","summary":"An adversary may delete a Virtual Private Cloud (VPC) route in Google Cloud Platform (GCP) to disrupt network traffic flow and evade defenses.","title":"GCP Virtual Private Cloud Route Deletion for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-09-gcp-vpc-route-deletion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Virtual Private Cloud"],"_cs_severities":["medium"],"_cs_tags":["cloud","gcp","defense-evasion","impact"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis rule identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project, containing subnets, routes, and firewalls. An adversary may delete a VPC network to disrupt a target's network and business operations. The detection rule monitors audit logs for successful VPC deletions, flagging potential malicious activity by correlating specific event actions and outcomes. The rule is based on Elastic's detection rule with ID c58c3081-2e1d-4497-8491-e73a45d1a6d6, and updated on 2026/04/10. It focuses on identifying actions that could lead to defense evasion and impact through data destruction.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GCP account with sufficient privileges. This could be via compromised credentials, or a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates available VPC networks within the GCP project to identify a target for disruption.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command or API call to initiate the deletion of the chosen VPC network. This could be done via the gcloud CLI or the GCP console.\u003c/li\u003e\n\u003cli\u003eGCP validates the attacker's permissions and initiates the VPC network deletion process.\u003c/li\u003e\n\u003cli\u003eThe VPC network and all associated resources (subnets, routes, firewall rules) are removed from the GCP environment.\u003c/li\u003e\n\u003cli\u003eApplications and services relying on the deleted VPC network experience connectivity issues and service disruptions.\u003c/li\u003e\n\u003cli\u003eThe attacker monitors the impact of the VPC network deletion to ensure the desired disruption has occurred.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to cover their tracks by deleting audit logs or other evidence of their actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of a VPC network can severely disrupt business operations. Applications and services relying on the deleted network will experience connectivity issues and may become unavailable. This can lead to data loss, financial losses, and reputational damage. The severity depends on the criticality of the affected applications and the speed of recovery. While specific numbers of victims are not provided, the impact can range from isolated application failures to widespread outage affecting entire organizations depending on their GCP infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eGCP VPC Network Deletion\u003c/code\u003e Sigma rule to your SIEM to detect unauthorized VPC network deletions. Ensure the log source is configured to ingest GCP audit logs.\u003c/li\u003e\n\u003cli\u003eReview and harden IAM policies to enforce the principle of least privilege for VPC network management.\u003c/li\u003e\n\u003cli\u003eMonitor GCP audit logs for unusual activity related to VPC network configurations, focusing on the \u003ccode\u003eevent.action:v*.compute.networks.delete\u003c/code\u003e event.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all GCP accounts with administrative privileges.\u003c/li\u003e\n\u003cli\u003eCreate exceptions in the \u003ccode\u003eGCP VPC Network Deletion\u003c/code\u003e rule for authorized and expected VPC network deletions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-gcp-vpc-delete/","summary":"Detection of Virtual Private Cloud (VPC) network deletion in Google Cloud Platform (GCP), which can be used by an adversary to disrupt a target's network and business operations.","title":"GCP Virtual Private Cloud Network Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-gcp-vpc-delete/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Network ACL","Virtual Private Cloud"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","network acl"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis alert detects the creation of an AWS Network Access Control List (ACL) that allows traffic on all ports. While not directly indicative of malicious activity, such a configuration significantly broadens the attack surface. An overly permissive ACL makes it easier for attackers to establish unauthorized connections to resources within the VPC and potentially move laterally within the network. It is a common misconfiguration that can lead to data breaches and other security incidents. Defenders should investigate such events to confirm the business justification and ensure appropriate compensating controls are in place.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, possibly through compromised credentials or by exploiting a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the AWS CLI or Management Console to create a new Network ACL.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the Network ACL to allow inbound and outbound traffic on all ports (0-65535), effectively bypassing network segmentation controls.\u003c/li\u003e\n\u003cli\u003eThe attacker associates the newly created, overly permissive Network ACL with one or more subnets within a Virtual Private Cloud (VPC).\u003c/li\u003e\n\u003cli\u003eThe attacker probes the exposed resources within the subnet to identify potential targets.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits vulnerabilities in exposed services, such as databases or web applications, due to the lack of network filtering.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data or systems within the VPC.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCreating an AWS Network ACL with all ports open significantly increases the risk of unauthorized access to resources within a VPC. This misconfiguration can lead to data breaches, service disruptions, and other security incidents. The impact depends on the sensitivity of the data and systems exposed, but could potentially affect thousands of customers if it involves a multi-tenant environment. It is critical to monitor for and remediate overly permissive Network ACLs to maintain a strong security posture.\u003c/p\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-acl-open-ports/","summary":"An AWS Network Access Control List (ACL) is created with all ports open, potentially exposing resources to unrestricted network access.","title":"AWS Network ACL Created with All Ports Open","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-acl-open-ports/"}],"language":"en","title":"CraftedSignal Threat Feed - Virtual Private Cloud","version":"https://jsonfeed.org/version/1.1"}