<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Route - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/route/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 15:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/route/feed.xml" rel="self" type="application/rss+xml"/><item><title>GCP Virtual Private Cloud Route Deletion for Defense Evasion</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-gcp-vpc-route-deletion/</link><pubDate>Tue, 09 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-gcp-vpc-route-deletion/</guid><description>An adversary may delete a Virtual Private Cloud (VPC) route in Google Cloud Platform (GCP) to disrupt network traffic flow and evade defenses.</description><content:encoded><![CDATA[<p>This threat brief addresses the deletion of Virtual Private Cloud (VPC) routes within Google Cloud Platform (GCP) environments. VPC routes define network traffic paths between virtual machine (VM) instances and other destinations, both inside and outside the VPC network. An attacker may intentionally delete or modify these routes to disrupt network communications, potentially evading security controls or impairing critical services. This activity is often observed as part of a broader attack campaign, where adversaries attempt to weaken the security posture of the target environment. The Elastic detection rule &quot;GCP Virtual Private Cloud Route Deletion&quot;, updated on 2026/04/10, identifies these events by monitoring GCP audit logs for route deletion actions. Defenders should prioritize monitoring VPC route configurations and access logs to detect and respond to unauthorized modifications.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains unauthorized access to a GCP account with sufficient privileges to modify VPC configurations. This could be achieved through compromised credentials, privilege escalation, or exploiting misconfigured IAM roles.</li>
<li>The attacker enumerates existing VPC routes to identify potential targets for disruption, using tools like <code>gcloud compute routes list</code>.</li>
<li>The attacker selects a critical VPC route that is essential for network communication between key services or network segments.</li>
<li>The attacker deletes the selected VPC route using <code>gcloud compute routes delete [ROUTE_NAME]</code>, causing a disruption in network traffic flow.</li>
<li>The successful deletion of the route is logged in GCP audit logs.</li>
<li>Network services relying on the deleted route experience connectivity issues, leading to service degradation or failure.</li>
<li>The attacker may repeat this process with other critical routes to further isolate network segments or prevent detection.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of VPC routes can lead to significant disruptions in network connectivity and service availability. Victims may experience degraded performance, application failures, or complete outages, depending on the criticality of the affected routes. The deletion of VPC routes can affect any organization utilizing GCP, especially those reliant on stable and predictable network traffic patterns. The risk score associated with this activity is 47.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM to detect VPC route deletion events in GCP audit logs (logsource: <code>service: gcp</code> and category: <code>audit</code>).</li>
<li>Review and harden IAM permissions to restrict access to VPC route management functions to authorized personnel only.</li>
<li>Implement automated monitoring and alerting for any changes to VPC route configurations.</li>
<li>Investigate any alerts generated by the Sigma rule by reviewing the associated audit logs and identifying the user or service account responsible for the route deletion.</li>
<li>Establish a process for quickly restoring deleted VPC routes from backups or configuration management tools.</li>
<li>Implement the recommendations in the provided investigation guide to analyze the context and impact of route deletion events.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>gcp</category><category>vpc</category><category>route</category><category>defense-evasion</category><category>cloud</category></item><item><title>GCP Virtual Private Cloud Route Creation for Defense Evasion</title><link>https://feed.craftedsignal.io/briefs/2024-01-gcp-vpc-route-creation/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-gcp-vpc-route-creation/</guid><description>The creation of a virtual private cloud (VPC) route in Google Cloud Platform (GCP) can indicate an adversary attempting to impact the flow of network traffic for defense evasion.</description><content:encoded><![CDATA[<p>This threat brief addresses the potential for attackers to create or modify Virtual Private Cloud (VPC) routes within Google Cloud Platform (GCP) environments. Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations, either inside a Google VPC network or outside it. By creating malicious routes, an attacker can reroute or intercept traffic, potentially disrupting network communications or eavesdropping on sensitive data. This activity is often performed to impair defenses or gain unauthorized access to resources. This brief focuses on detecting the creation of new routes within GCP, specifically monitored through audit logs.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains access to a GCP account, possibly through compromised credentials or exploiting a misconfigured IAM role.</li>
<li><strong>Privilege Escalation (If Necessary):</strong> The attacker attempts to elevate their privileges within the GCP environment to gain the necessary permissions to modify network configurations.</li>
<li><strong>Discovery:</strong> The attacker enumerates existing VPC routes to understand the current network topology.</li>
<li><strong>Route Creation:</strong> The attacker creates a new VPC route using the <code>gcloud</code> command-line tool or the GCP console, targeting a specific subnet or IP range. The attacker crafts a route that redirects traffic to a malicious destination. The audit logs record the event with <code>event.action: v*.compute.routes.insert</code> or <code>beta.compute.routes.insert</code>.</li>
<li><strong>Traffic Redirection:</strong> Network traffic matching the new route's destination is now redirected to the attacker-controlled destination.</li>
<li><strong>Data Interception/Manipulation:</strong> The attacker intercepts the redirected traffic, potentially exfiltrating sensitive data or manipulating the traffic before forwarding it to its original destination.</li>
<li><strong>Defense Evasion:</strong> By rerouting network traffic, the attacker can bypass security controls or monitoring systems, making their activities more difficult to detect.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to unauthorized access to sensitive data, disruption of critical services, and potential data breaches. While the severity is low at initial route creation, the impact escalates significantly if the route is used for malicious purposes like data exfiltration or man-in-the-middle attacks. The number of affected VMs depends on the scope of the created route (e.g., a specific subnet or the entire VPC). Organizations in any sector utilizing GCP VPCs are potentially at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>GCP VPC Route Creation</code> to your SIEM to detect suspicious route creation activities based on <code>data_stream.dataset:gcp.audit</code> and <code>event.action</code>.</li>
<li>Review IAM permissions and roles to ensure that only authorized personnel have the ability to create or modify VPC routes. Focus on service accounts with excessive permissions.</li>
<li>Investigate any alerts generated by the Sigma rule, correlating them with other security events or unusual network activity to identify potential malicious intent.</li>
<li>Enable and regularly review VPC Flow Logs to monitor network traffic patterns and detect any unauthorized redirection.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>gcp</category><category>vpc</category><category>route</category><category>defense-evasion</category><category>cloud</category></item></channel></rss>