<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Virtual Private Cloud - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/virtual-private-cloud/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 15:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/virtual-private-cloud/feed.xml" rel="self" type="application/rss+xml"/><item><title>GCP Virtual Private Cloud Route Deletion for Defense Evasion</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-gcp-vpc-route-deletion/</link><pubDate>Tue, 09 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-gcp-vpc-route-deletion/</guid><description>An adversary may delete a Virtual Private Cloud (VPC) route in Google Cloud Platform (GCP) to disrupt network traffic flow and evade defenses.</description><content:encoded><![CDATA[<p>This threat brief addresses the deletion of Virtual Private Cloud (VPC) routes within Google Cloud Platform (GCP) environments. VPC routes define network traffic paths between virtual machine (VM) instances and other destinations, both inside and outside the VPC network. An attacker may intentionally delete or modify these routes to disrupt network communications, potentially evading security controls or impairing critical services. This activity is often observed as part of a broader attack campaign, where adversaries attempt to weaken the security posture of the target environment. The Elastic detection rule &quot;GCP Virtual Private Cloud Route Deletion&quot;, updated on 2026/04/10, identifies these events by monitoring GCP audit logs for route deletion actions. Defenders should prioritize monitoring VPC route configurations and access logs to detect and respond to unauthorized modifications.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains unauthorized access to a GCP account with sufficient privileges to modify VPC configurations. This could be achieved through compromised credentials, privilege escalation, or exploiting misconfigured IAM roles.</li>
<li>The attacker enumerates existing VPC routes to identify potential targets for disruption, using tools like <code>gcloud compute routes list</code>.</li>
<li>The attacker selects a critical VPC route that is essential for network communication between key services or network segments.</li>
<li>The attacker deletes the selected VPC route using <code>gcloud compute routes delete [ROUTE_NAME]</code>, causing a disruption in network traffic flow.</li>
<li>The successful deletion of the route is logged in GCP audit logs.</li>
<li>Network services relying on the deleted route experience connectivity issues, leading to service degradation or failure.</li>
<li>The attacker may repeat this process with other critical routes to further isolate network segments or prevent detection.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of VPC routes can lead to significant disruptions in network connectivity and service availability. Victims may experience degraded performance, application failures, or complete outages, depending on the criticality of the affected routes. The deletion of VPC routes can affect any organization utilizing GCP, especially those reliant on stable and predictable network traffic patterns. The risk score associated with this activity is 47.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM to detect VPC route deletion events in GCP audit logs (logsource: <code>service: gcp</code> and category: <code>audit</code>).</li>
<li>Review and harden IAM permissions to restrict access to VPC route management functions to authorized personnel only.</li>
<li>Implement automated monitoring and alerting for any changes to VPC route configurations.</li>
<li>Investigate any alerts generated by the Sigma rule by reviewing the associated audit logs and identifying the user or service account responsible for the route deletion.</li>
<li>Establish a process for quickly restoring deleted VPC routes from backups or configuration management tools.</li>
<li>Implement the recommendations in the provided investigation guide to analyze the context and impact of route deletion events.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>gcp</category><category>vpc</category><category>route</category><category>defense-evasion</category><category>cloud</category></item><item><title>GCP Virtual Private Cloud Network Deletion</title><link>https://feed.craftedsignal.io/briefs/2024-01-gcp-vpc-delete/</link><pubDate>Thu, 04 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-gcp-vpc-delete/</guid><description>Detection of Virtual Private Cloud (VPC) network deletion in Google Cloud Platform (GCP), which can be used by an adversary to disrupt a target's network and business operations.</description><content:encoded><![CDATA[<p>This rule identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project, containing subnets, routes, and firewalls. An adversary may delete a VPC network to disrupt a target's network and business operations. The detection rule monitors audit logs for successful VPC deletions, flagging potential malicious activity by correlating specific event actions and outcomes. The rule is based on Elastic's detection rule with ID c58c3081-2e1d-4497-8491-e73a45d1a6d6, and updated on 2026/04/10. It focuses on identifying actions that could lead to defense evasion and impact through data destruction.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to a GCP account with sufficient privileges. This could be via compromised credentials, or a misconfigured IAM role.</li>
<li>The attacker enumerates available VPC networks within the GCP project to identify a target for disruption.</li>
<li>The attacker executes a command or API call to initiate the deletion of the chosen VPC network. This could be done via the gcloud CLI or the GCP console.</li>
<li>GCP validates the attacker's permissions and initiates the VPC network deletion process.</li>
<li>The VPC network and all associated resources (subnets, routes, firewall rules) are removed from the GCP environment.</li>
<li>Applications and services relying on the deleted VPC network experience connectivity issues and service disruptions.</li>
<li>The attacker monitors the impact of the VPC network deletion to ensure the desired disruption has occurred.</li>
<li>The attacker attempts to cover their tracks by deleting audit logs or other evidence of their actions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of a VPC network can severely disrupt business operations. Applications and services relying on the deleted network will experience connectivity issues and may become unavailable. This can lead to data loss, financial losses, and reputational damage. The severity depends on the criticality of the affected applications and the speed of recovery. While specific numbers of victims are not provided, the impact can range from isolated application failures to widespread outage affecting entire organizations depending on their GCP infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the <code>GCP VPC Network Deletion</code> Sigma rule to your SIEM to detect unauthorized VPC network deletions. Ensure the log source is configured to ingest GCP audit logs.</li>
<li>Review and harden IAM policies to enforce the principle of least privilege for VPC network management.</li>
<li>Monitor GCP audit logs for unusual activity related to VPC network configurations, focusing on the <code>event.action:v*.compute.networks.delete</code> event.</li>
<li>Implement multi-factor authentication (MFA) for all GCP accounts with administrative privileges.</li>
<li>Create exceptions in the <code>GCP VPC Network Deletion</code> rule for authorized and expected VPC network deletions.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>gcp</category><category>defense-evasion</category><category>impact</category></item><item><title>AWS Network ACL Created with All Ports Open</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-aws-acl-open-ports/</link><pubDate>Wed, 03 Jan 2024 14:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-aws-acl-open-ports/</guid><description>An AWS Network Access Control List (ACL) is created with all ports open, potentially exposing resources to unrestricted network access.</description><content:encoded><![CDATA[<p>This alert detects the creation of an AWS Network Access Control List (ACL) that allows traffic on all ports. While not directly indicative of malicious activity, such a configuration significantly broadens the attack surface. An overly permissive ACL makes it easier for attackers to establish unauthorized connections to resources within the VPC and potentially move laterally within the network. It is a common misconfiguration that can lead to data breaches and other security incidents. Defenders should investigate such events to confirm the business justification and ensure appropriate compensating controls are in place.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS account, possibly through compromised credentials or by exploiting a misconfigured IAM role.</li>
<li>The attacker leverages the AWS CLI or Management Console to create a new Network ACL.</li>
<li>The attacker configures the Network ACL to allow inbound and outbound traffic on all ports (0-65535), effectively bypassing network segmentation controls.</li>
<li>The attacker associates the newly created, overly permissive Network ACL with one or more subnets within a Virtual Private Cloud (VPC).</li>
<li>The attacker probes the exposed resources within the subnet to identify potential targets.</li>
<li>The attacker exploits vulnerabilities in exposed services, such as databases or web applications, due to the lack of network filtering.</li>
<li>The attacker gains unauthorized access to sensitive data or systems within the VPC.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Creating an AWS Network ACL with all ports open significantly increases the risk of unauthorized access to resources within a VPC. This misconfiguration can lead to data breaches, service disruptions, and other security incidents. The impact depends on the sensitivity of the data and systems exposed, but could potentially affect thousands of customers if it involves a multi-tenant environment. It is critical to monitor for and remediate overly permissive Network ACLs to maintain a strong security posture.</p>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>network acl</category></item></channel></rss>