{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/route/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Virtual Private Cloud"],"_cs_severities":["medium"],"_cs_tags":["gcp","vpc","route","defense-evasion","cloud"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis threat brief addresses the deletion of Virtual Private Cloud (VPC) routes within Google Cloud Platform (GCP) environments. VPC routes define network traffic paths between virtual machine (VM) instances and other destinations, both inside and outside the VPC network. An attacker may intentionally delete or modify these routes to disrupt network communications, potentially evading security controls or impairing critical services. This activity is often observed as part of a broader attack campaign, where adversaries attempt to weaken the security posture of the target environment. The Elastic detection rule \u0026quot;GCP Virtual Private Cloud Route Deletion\u0026quot;, updated on 2026/04/10, identifies these events by monitoring GCP audit logs for route deletion actions. Defenders should prioritize monitoring VPC route configurations and access logs to detect and respond to unauthorized modifications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to a GCP account with sufficient privileges to modify VPC configurations. This could be achieved through compromised credentials, privilege escalation, or exploiting misconfigured IAM roles.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing VPC routes to identify potential targets for disruption, using tools like \u003ccode\u003egcloud compute routes list\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker selects a critical VPC route that is essential for network communication between key services or network segments.\u003c/li\u003e\n\u003cli\u003eThe attacker deletes the selected VPC route using \u003ccode\u003egcloud compute routes delete [ROUTE_NAME]\u003c/code\u003e, causing a disruption in network traffic flow.\u003c/li\u003e\n\u003cli\u003eThe successful deletion of the route is logged in GCP audit logs.\u003c/li\u003e\n\u003cli\u003eNetwork services relying on the deleted route experience connectivity issues, leading to service degradation or failure.\u003c/li\u003e\n\u003cli\u003eThe attacker may repeat this process with other critical routes to further isolate network segments or prevent detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of VPC routes can lead to significant disruptions in network connectivity and service availability. Victims may experience degraded performance, application failures, or complete outages, depending on the criticality of the affected routes. The deletion of VPC routes can affect any organization utilizing GCP, especially those reliant on stable and predictable network traffic patterns. The risk score associated with this activity is 47.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect VPC route deletion events in GCP audit logs (logsource: \u003ccode\u003eservice: gcp\u003c/code\u003e and category: \u003ccode\u003eaudit\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview and harden IAM permissions to restrict access to VPC route management functions to authorized personnel only.\u003c/li\u003e\n\u003cli\u003eImplement automated monitoring and alerting for any changes to VPC route configurations.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the associated audit logs and identifying the user or service account responsible for the route deletion.\u003c/li\u003e\n\u003cli\u003eEstablish a process for quickly restoring deleted VPC routes from backups or configuration management tools.\u003c/li\u003e\n\u003cli\u003eImplement the recommendations in the provided investigation guide to analyze the context and impact of route deletion events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-gcp-vpc-route-deletion/","summary":"An adversary may delete a Virtual Private Cloud (VPC) route in Google Cloud Platform (GCP) to disrupt network traffic flow and evade defenses.","title":"GCP Virtual Private Cloud Route Deletion for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-09-gcp-vpc-route-deletion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Virtual Private Cloud (VPC)"],"_cs_severities":["low"],"_cs_tags":["gcp","vpc","route","defense-evasion","cloud"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis threat brief addresses the potential for attackers to create or modify Virtual Private Cloud (VPC) routes within Google Cloud Platform (GCP) environments. Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations, either inside a Google VPC network or outside it. By creating malicious routes, an attacker can reroute or intercept traffic, potentially disrupting network communications or eavesdropping on sensitive data. This activity is often performed to impair defenses or gain unauthorized access to resources. This brief focuses on detecting the creation of new routes within GCP, specifically monitored through audit logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains access to a GCP account, possibly through compromised credentials or exploiting a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (If Necessary):\u003c/strong\u003e The attacker attempts to elevate their privileges within the GCP environment to gain the necessary permissions to modify network configurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker enumerates existing VPC routes to understand the current network topology.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRoute Creation:\u003c/strong\u003e The attacker creates a new VPC route using the \u003ccode\u003egcloud\u003c/code\u003e command-line tool or the GCP console, targeting a specific subnet or IP range. The attacker crafts a route that redirects traffic to a malicious destination. The audit logs record the event with \u003ccode\u003eevent.action: v*.compute.routes.insert\u003c/code\u003e or \u003ccode\u003ebeta.compute.routes.insert\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTraffic Redirection:\u003c/strong\u003e Network traffic matching the new route's destination is now redirected to the attacker-controlled destination.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Interception/Manipulation:\u003c/strong\u003e The attacker intercepts the redirected traffic, potentially exfiltrating sensitive data or manipulating the traffic before forwarding it to its original destination.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e By rerouting network traffic, the attacker can bypass security controls or monitoring systems, making their activities more difficult to detect.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, disruption of critical services, and potential data breaches. While the severity is low at initial route creation, the impact escalates significantly if the route is used for malicious purposes like data exfiltration or man-in-the-middle attacks. The number of affected VMs depends on the scope of the created route (e.g., a specific subnet or the entire VPC). Organizations in any sector utilizing GCP VPCs are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGCP VPC Route Creation\u003c/code\u003e to your SIEM to detect suspicious route creation activities based on \u003ccode\u003edata_stream.dataset:gcp.audit\u003c/code\u003e and \u003ccode\u003eevent.action\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview IAM permissions and roles to ensure that only authorized personnel have the ability to create or modify VPC routes. Focus on service accounts with excessive permissions.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, correlating them with other security events or unusual network activity to identify potential malicious intent.\u003c/li\u003e\n\u003cli\u003eEnable and regularly review VPC Flow Logs to monitor network traffic patterns and detect any unauthorized redirection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-gcp-vpc-route-creation/","summary":"The creation of a virtual private cloud (VPC) route in Google Cloud Platform (GCP) can indicate an adversary attempting to impact the flow of network traffic for defense evasion.","title":"GCP Virtual Private Cloud Route Creation for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-gcp-vpc-route-creation/"}],"language":"en","title":"CraftedSignal Threat Feed - Route","version":"https://jsonfeed.org/version/1.1"}