Threat actors have been increasingly targeting cloud services for various illicit purposes, with Google Cloud being a prime target due to its vast resources and capabilities that can be exploited for malicious activities. The allure of the immense amounts of data and computing power offered by Google Cloud often draws threat actors, who can leverage the complexity of cloud environments to evade detection.
The Google Cloud Threat Horizons Report recently uncovered instances of hackers actively abusing Google Cloud for phishing campaigns. The report, compiled from insights gathered by various Google teams such as TAG and Mandiant, provides strategic intelligence on cloud security threats across different providers. It highlights serverless computing as a revolutionary concept that, despite its benefits, could be susceptible to exploitation.
Cloud security professionals need to focus on three key areas to address emerging serverless cloud threats effectively, including mitigating risks arising from customer misconfigurations while leveraging scalability and reducing operational overhead. The security landscape revealed by the Google Cloud Office of the Cloud CISO in the first half of 2024 showcased weak or absent passwords as the primary avenue for unauthorized access, with misconfigurations accounting for over 30% of incidents, particularly involving free service account keys.
Cryptomining remained the primary motive for intrusions at 59%, indicating a slight decrease from the previous period. The research underscores the importance of organizations prioritizing credential management, adhering to strict configurations, and adopting serverless architectures to enhance their cloud security maturity in the face of evolving threats. Although serverless computing offers numerous advantages, it necessitates a security-first approach from the outset.
Mandiant’s analysis over two years has identified critical risks associated with serverless architecture across various cloud providers, including hardcoded and plaintext secrets leading to unauthorized access, threat actors exploiting serverless infrastructure for malicious activities, unsafe design and development practices introducing vulnerabilities, and misconfigured back-end services exposing sensitive data or functionalities. Organizations must implement robust security measures to address these specific threats and effectively manage serverless technology.
During the period of 2023-2024, threat actors known as “PINEAPPLE” and “FLUXROOT” utilized Google Cloud services to distribute malware targeting individuals in Latin America. The quick response from Google teams, including setting up detection capabilities, blocking malicious URLs, and suspending associated projects, significantly reduced the effectiveness of the campaign.
Mitigations against such threats include managing high-privilege accounts rigorously, applying least privilege principles, implementing malware detection controls, collaborating with CISA for malware analysis, monitoring leaked credentials, developing credential reset playbooks, utilizing Container Threat Detection, avoiding untrusted containers, configuring Cloud Functions network settings, and controlling network ingress and egress for Cloud Run.
In conclusion, the evolving landscape of cloud security threats underscores the importance of proactive measures and robust strategies to safeguard cloud environments and prevent unauthorized access and malicious activities. Organizations must remain vigilant, prioritize security measures, and collaborate with experts to mitigate risks effectively in the ever-changing cybersecurity landscape.