#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

Google Cloud | Breaking Cybersecurity News | The Hacker News

Category — Google Cloud
Researchers Reveal ConfusedFunction Vulnerability in Google Cloud Platform

Researchers Reveal ConfusedFunction Vulnerability in Google Cloud Platform

Jul 25, 2024 Cloud Security / Vulnerability
Cybersecurity researchers have disclosed a privilege escalation vulnerability impacting Google Cloud Platform's Cloud Functions service that an attacker could exploit to access other services and sensitive data in an unauthorized manner. Tenable has given the vulnerability the name ConfusedFunction. "An attacker could escalate their privileges to the Default Cloud Build Service Account and access numerous services such as Cloud Build, storage (including the source code of other functions), artifact registry and container registry," the exposure management company said in a statement. "This access allows for lateral movement and privilege escalation in a victim's project, to access unauthorized data and even update or delete it." Cloud Functions refers to a serverless execution environment that allows developers to create single-purpose functions that are triggered in response to specific Cloud events without the need to manage a server or update frame
PINEAPPLE and FLUXROOT Hacker Groups Abuse Google Cloud for Credential Phishing

PINEAPPLE and FLUXROOT Hacker Groups Abuse Google Cloud for Credential Phishing

Jul 22, 2024 Cloud Security / Phishing Attack
A Latin America (LATAM)-based financially motivated actor codenamed FLUXROOT has been observed leveraging Google Cloud serverless projects to orchestrate credential phishing activity, highlighting the abuse of the cloud computing model for malicious purposes. "Serverless architectures are attractive to developers and enterprises for their flexibility, cost effectiveness, and ease of use," Google said in its biannual Threat Horizons Report [PDF] shared with The Hacker News. "These same features make serverless computing services for all cloud providers attractive to threat actors, who use them to deliver and communicate with their malware, host and direct users to phishing pages, and to run malware and execute malicious scripts specifically tailored to run in a serverless environment." The campaign involved the use of Google Cloud container URLs to host credential phishing pages with the aim of harvesting login information associated with Mercado Pago, an onli
Agentic AI in SOCs: A Solution to SOAR's Unfulfilled Promises

Agentic AI in SOCs: A Solution to SOAR's Unfulfilled Promises

Sep 25, 2024Artificial Intelligence / SOC Automation
Security Orchestration, Automation, and Response (SOAR) was introduced with the promise of revolutionizing Security Operations Centers (SOCs) through automation, reducing manual workloads and enhancing efficiency. However, despite three generations of technology and 10 years of advancements, SOAR hasn't fully delivered on its potential, leaving SOCs still grappling with many of the same challenges. Enter Agentic AI—a new approach that could finally fulfill the SOC's long-awaited vision, providing a more dynamic and adaptive solution to automate SOC operations effectively. Three Generations of SOAR – Still Falling Short SOAR emerged in the mid-2010s with companies like PhantomCyber, Demisto, and Swimlane, promising to automate SOC tasks, improve productivity, and shorten response times. Despite these ambitions, SOAR found its greatest success in automating generalized tasks like threat intel propagation, rather than core threat detection, investigation, and response (TDIR) workloads.
AWS, Google, and Azure CLI Tools Could Leak Credentials in Build Logs

AWS, Google, and Azure CLI Tools Could Leak Credentials in Build Logs

Apr 16, 2024 Cloud Security / DevSecOps
New cybersecurity research has found that command-line interface (CLI) tools from Amazon Web Services (AWS) and Google Cloud can expose sensitive credentials in build logs, posing significant risks to organizations. The vulnerability has been codenamed  LeakyCLI  by cloud security firm Orca. "Some commands on Azure CLI, AWS CLI, and Google Cloud CLI can expose sensitive information in the form of environment variables, which can be collected by adversaries when published by tools such as GitHub Actions," security researcher Roi Nisimi  said  in a report shared with The Hacker News. Microsoft has since  addressed  the issue as part of security updates released in November 2023, assigned it the CVE identifier CVE-2023-36052 (CVSS score: 8.6). The idea, in a nutshell, has to do with how the CLI commands such as could be used to show (pre-)defined environment variables and output to Continuous Integration and Continuous Deployment (CI/CD) logs. A list of such commands spann
cyber security

How to Stay Safe From Insider & User Offboarding Risks

websiteWing SecuritySaaS Security / Insider Threat
Unrevoked permissions for offboarded employees is just one of the risks that can result in data breaches.
Banking Trojans Target Latin America and Europe Through Google Cloud Run

Banking Trojans Target Latin America and Europe Through Google Cloud Run

Feb 26, 2024 Cyber Attack / Malware
Cybersecurity researchers are warning about a spike in email phishing campaigns that are weaponizing the Google Cloud Run service to deliver various banking trojans such as  Astaroth  (aka Guildma),  Mekotio , and  Ousaban  (aka Javali) to targets across Latin America (LATAM) and Europe. "The infection chains associated with these malware families feature the use of malicious Microsoft Installers (MSIs) that function as droppers or downloaders for the final malware payload(s)," Cisco Talos researchers  disclosed  last week. The high-volume malware distribution campaigns, observed since September 2023, have employed the same storage bucket within Google Cloud for propagation, suggesting potential links between the threat actors behind the distribution campaigns. Google Cloud Run is a  managed compute platform  that enables users to run frontend and backend services, batch jobs, deploy websites and applications, and queue processing workloads without having to manage or sca
Google Kubernetes Misconfig Lets Any Gmail Account Control Your Clusters

Google Kubernetes Misconfig Lets Any Gmail Account Control Your Clusters

Jan 24, 2024 Cloud Security / Kubernetes
Cybersecurity researchers have discovered a loophole impacting Google Kubernetes Engine (GKE) that could be potentially exploited by threat actors with a Google account to take control of a Kubernetes cluster. The critical shortcoming has been codenamed Sys:All by cloud security firm Orca. As many as 250,000 active GKE clusters in the wild are estimated to be susceptible to the attack vector. In a report shared with The Hacker News, security researcher Roi Nisimi said it "stems from a likely widespread misconception that the system:authenticated group in Google Kubernetes Engine includes only verified and deterministic identities, whereas in fact, it includes any Google authenticated account (even outside the organization)." The system:authenticated group is a special group that includes all authenticated entities, counting human users and service accounts. As a result, this could have serious consequences when administrators inadvertently bestow it with overly permis
Mandiant's Twitter Account Restored After Six-Hour Crypto Scam Hack

Mandiant's Twitter Account Restored After Six-Hour Crypto Scam Hack

Jan 04, 2024 Cryptocurrency / Social Media
American cybersecurity firm and Google Cloud subsidiary Mandiant had its X (formerly Twitter) account compromised for more than six hours by an unknown attacker to propagate a cryptocurrency scam. As of writing, the  account has been restored  on the social media platform. It's currently not clear how the account was breached. But the hacked Mandiant account was initially renamed to "@phantomsolw" to impersonate the Phantom crypto wallet service, according to  MalwareHunterTeam  and  vx-underground . Specifically, the scam posts from the account advertised an airdrop scam that urged users to click on a bogus link and earn free tokens, with follow-up messages asking Mandiant to "change password please" and "check bookmarks when you get account back." Mandiant, a leading threat intelligence firm, was  acquired by Google  in March 2022 for $5.4 billion. It is now part of Google Cloud. "The Mandiant Twitter account takeover could have happened
Google Cloud Resolves Privilege Escalation Flaw Impacting Kubernetes Service

Google Cloud Resolves Privilege Escalation Flaw Impacting Kubernetes Service

Dec 28, 2023 Cloud Security / Data Protection
Google Cloud has addressed a medium-severity security flaw in its platform that could be abused by an attacker who already has access to a Kubernetes cluster to escalate their privileges. "An attacker who has compromised the  Fluent Bit  logging container could combine that access with high privileges required by  Anthos Service Mesh  (on clusters that have enabled it) to escalate privileges in the cluster," the company  said  as part of an advisory released on December 14, 2023. Palo Alto Networks Unit 42, which discovered and reported the shortcoming, said adversaries could weaponize it to carry out "data theft, deploy malicious pods, and disrupt the cluster's operations." There is no evidence that the issue has been exploited in the wild. It has been addressed in the following versions of Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM) - 1.25.16-gke.1020000 1.26.10-gke.1235000 1.27.7-gke.1293000 1.28.4-gke.1083000 1.17.8-asm.8 1.18.
Reptar: New Intel CPU Vulnerability Impacts Multi-Tenant Virtualized Environments

Reptar: New Intel CPU Vulnerability Impacts Multi-Tenant Virtualized Environments

Nov 15, 2023 Vulnerability / Hardware Security
Intel has released fixes to close out a high-severity flaw codenamed  Reptar  that impacts its desktop, mobile, and server CPUs. Tracked as  CVE-2023-23583  (CVSS score: 8.8), the  issue  has the potential to "allow escalation of privilege and/or information disclosure and/or denial of service via local access." Successful exploitation of the vulnerability could also permit a bypass of the CPU's security boundaries, according to Google Cloud, which described it as an issue stemming from how redundant prefixes are interpreted by the processor. "The impact of this vulnerability is demonstrated when exploited by an attacker in a multi-tenant virtualized environment, as the exploit on a guest machine causes the host machine to crash resulting in a Denial of Service to other guest machines running on the same host," Google Cloud's Phil Venables  said . "Additionally, the vulnerability could potentially lead to information disclosure or privilege escala
Free Download Manager Site Compromised to Distribute Linux Malware to Users for 3+ Years

Free Download Manager Site Compromised to Distribute Linux Malware to Users for 3+ Years

Sep 14, 2023 Supply Chain / Malware
A download manager site served Linux users malware that stealthily stole passwords and other sensitive information for more than three years as part of a supply chain attack. The modus operandi entailed establishing a reverse shell to an actor-controlled server and installing a Bash stealer on the compromised system. The campaign, which took place between 2020 and 2022, is no longer active. "This stealer collects data such as system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure)," Kaspersky researchers Georgy Kucherin and Leonid Bezvershenko  said . The website in question is freedownloadmanager[.]org, which, according to the Russian cybersecurity firm, offers a legitimate Linux software called "Free Download Manager," but starting in January 2020, began redirecting some users who attempted to download it to another domain deb.fdmpkg[.]
Bad.Build Flaw in Google Cloud Build Raises Concerns of Privilege Escalation

Bad.Build Flaw in Google Cloud Build Raises Concerns of Privilege Escalation

Jul 19, 2023 Cloud Security / Vulnerability
Cybersecurity researchers have uncovered a privilege escalation vulnerability in Google Cloud that could enable malicious actors tamper with application images and infect users, leading to supply chain attacks. The issue, dubbed  Bad.Build , is rooted in the  Google Cloud Build service , according to cloud security firm Orca, which discovered and reported the issue. "By abusing the flaw and enabling an impersonation of the default Cloud Build service, attackers can manipulate images in the Google Artifact Registry and inject malicious code," the company  said  in a statement shared with The Hacker News. "Any applications built from the manipulated images are then affected and, if the malformed applications are meant to be deployed on customer's environments, the risk crosses from the supplying organization's environment to their customers' environments, constituting a major supply chain risk." Following responsible disclosure, Google has  issued  a
Experts Reveal Google Cloud Platform's Blind Spot for Data Exfiltration Attacks

Experts Reveal Google Cloud Platform's Blind Spot for Data Exfiltration Attacks

Mar 06, 2023 Cloud Computing / Data Safety
Malicious actors can take advantage of "insufficient" forensic visibility into Google Cloud Platform (GCP) to exfiltrate sensitive data, a new research has found. "Unfortunately, GCP does not provide the level of visibility in its storage logs that is needed to allow any effective forensic investigation, making organizations blind to potential data exfiltration attacks," cloud incident response firm Mitiga  said  in a report. The attack banks on the prerequisite that the adversary is able to gain control of an identity and access management (IAM) entity in the targeted organization by methods like social engineering to access the GCP environment. The crux of the problem is that GCP's  storage access logs  do not provide adequate transparency with regards to potential file access and read events, instead grouping them all as a single "Object Get" activity. "The same event is used for a wide variety of types of access, including: Reading a fil
Google Identifies 34 Cracked Versions of Popular Cobalt Strike Hacking Toolkit in the Wild

Google Identifies 34 Cracked Versions of Popular Cobalt Strike Hacking Toolkit in the Wild

Nov 21, 2022
Google Cloud last week disclosed that it identified 34 different hacked release versions of the Cobalt Strike tool in the wild, the earliest of which  shipped  in November 2012. The versions, spanning 1.44 to 4.7, add up to a total of 275 unique JAR files, according to findings from the Google Cloud Threat Intelligence (GCTI) team. The  latest version  of Cobalt Strike is version 4.7.2. Cobalt Strike, developed by  Fortra  (née HelpSystems), is a popular adversarial framework used by red teams to simulate attack scenarios and test the resilience of their cyber defenses. It comprises a Team Server that acts as the command-and-control (C2) hub to remotely commandeer infected devices and a stager that's designed to deliver a next-stage payload called the Beacon, a fully-featured implant that reports back to the C2 server. Given its wide-ranging suite of features, unauthorized versions of the software have been  increasingly   weaponized  by  many  a  threat   actor  to  advance
Hackers Using Compromised Google Cloud Accounts to Mine Cryptocurrency

Hackers Using Compromised Google Cloud Accounts to Mine Cryptocurrency

Nov 29, 2021
Threat actors are exploiting improperly-secured Google Cloud Platform (GCP) instances to download cryptocurrency mining software to the compromised systems as well as abusing its infrastructure to install ransomware, stage phishing campaigns, and even generate traffic to YouTube videos for view count manipulation. "While cloud customers continue to face a variety of threats across applications and infrastructure, many successful attacks are due to poor hygiene and a lack of basic control implementation," Google's Cybersecurity Action Team (CAT)  outlined  as part of its recent Threat Horizons report published last week. Of the 50 recently compromised GCP instances, 86% of them were used to conduct cryptocurrency mining, in some cases within 22 seconds of successful breach, while 10% of the instances were exploited to perform scans of other publicly accessible hosts on the Internet to identify vulnerable systems, and 8% of the instances were used to strike other entiti
Google Launches Backstory — A New Cyber Security Tool for Businesses

Google Launches Backstory — A New Cyber Security Tool for Businesses

Mar 05, 2019
Google's one-year-old cybersecurity venture Chronicle today announced its first commercial product, called Backstory , a cloud-based enterprise-level threat analytics platform that has been designed to help companies quickly investigate incidents, pinpoint vulnerabilities and hunt for potential threats. Network infrastructures at most enterprises regularly generate enormous amounts of network data and logs on a daily basis that can be helpful to figure out exactly what happened when a security incident occurs. However, unfortunately, most companies either don't collect the right telemetry or even when they do, it's practically impossible for them to retain that telemetry for more than a week or two, making analysts blind if any security incident happens before that. Backstory solves this problem by allowing organizations to privately upload and store their petabytes of "internal security telemetry" on Google cloud platform and leverage machine learning and da
RunC Flaw Lets Attackers Escape Linux Containers to Gain Root on Hosts

RunC Flaw Lets Attackers Escape Linux Containers to Gain Root on Hosts

Feb 12, 2019
A serious security vulnerability has been discovered in the core runC container code that affects several open-source container management systems, potentially allowing attackers to escape Linux container and obtain unauthorized, root-level access to the host operating system. The vulnerability, identified as  CVE-2019-5736 , was discovered by open source security researchers Adam Iwaniuk and Borys Popławski and publicly disclosed by Aleksa Sarai, a senior software engineer and runC maintainer at SUSE Linux GmbH on Monday. The flaw resides in runC—a lightweight low-level command-line tool for spawning and running containers, an operating-system-level virtualization method for running multiple isolated systems on a host using a single kernel. Originally created by Docker, runC is the default container run-time for Docker, Kubernetes, ContainerD, CRI-O, and other container-dependent programs, and is widely being used by major cloud hosting and server providers. runC Containe
Google to Encrypt Android Cloud Backups With Your Lock Screen Password

Google to Encrypt Android Cloud Backups With Your Lock Screen Password

Oct 15, 2018
In an effort to secure users' data while maintaining privacy, Google has announced a new security measure for Android Backup Service that now encrypts all your backup data stored on its cloud servers in a way that even the company can't read it. Google allows Android users to automatically backup their essential app data and settings to their Google account, allowing them to simply restore it when required, instead of re-configuring all the apps after formatting or switching to a new phone. However, until now your backup data was not encrypted and visible to Google, and now the company is going to change its storage procedure. Starting with Android Pie, Google is going to encrypt your Android device backup data in the following way: Step 1: Your Android device will generate a random secret key (not known to Google), Step 2: The secret key will then get encrypted using your lockscreen PIN/pattern/passcode (not known to Google), Step 3: This passcode-protected
Google Photo App Uploads Your Images To Cloud, Even After Uninstalling

Google Photo App Uploads Your Images To Cloud, Even After Uninstalling

Jul 13, 2015
Have you ever seen any mobile application working in the background silently even after you have uninstalled it completely? I have seen Google Photos app doing the same. Your Android smartphone continues to upload your phone photos to Google servers without your knowledge , even if you have already uninstalled the Google Photos app from your device. Nashville Business Journal editor David Arnott found that Google Photos app uploaded all his personal photographs from the device into the service even after uninstalling it. Arnott provided a video demonstration showing that after uninstalling the Google Photos app from his Samsung smartphone, the photograph he took off his coffee mug still wound up being synced into his account on the web. "Months ago, I downloaded the [Photos] app to play with it, but I did not like it and so un-installed the app after just a few days," Arnott tweeted Wednesday. "This evening, I went back to Google Photos on my l
Cloud Source Repositories: Google Quietly Launches GitHub Competitor

Cloud Source Repositories: Google Quietly Launches GitHub Competitor

Jun 26, 2015
After the death of Google code this winter, Google is apparently back in the business through the launch of its private Git repository hosting service on Google Cloud Platform called Cloud Source Repositories . Not yet officially announced, but Google started providing free beta access to its new Cloud Source Repositories earlier this year, VentureBeat reported. Similar to the popular source code repository hosting service GitHub, Cloud Source Repositories provides developers with the ability to host and edit code on the ever-expanding Google Cloud Platform . Though it will not be easy to take hold of all GitHub's customers overnight, Google is taking a successive approach with its new service -- Cloud Source Repositories can serve as a 'remote' Git repositories for users sitting elsewhere on the Internet or locally. Moreover, it is also possible for users to connect a Cloud Source Repository to a hosted repository service like GitHub or Bitbucket that will automatical
Expert Insights / Articles Videos
Cybersecurity Resources