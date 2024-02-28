



Lateral movement, where cybercriminals move laterally from device to application as they explore a compromised network in an attempt to find vulnerabilities, escalate access privileges, and reach their final target. I often use techniques.

Research released today by Palo Alto Networks highlights several techniques that can exploit misconfigurations and allow malicious attackers to move laterally within cloud environments. While these misconfiguration issues are not new, Palo Alto Networks research shows that cybercriminals are abusing cloud administrative privileges to access unauthorized content across cloud providers such as AWS, Azure, and Google Cloud. A real-life scenario is shown.

This post describes the misconfigurations that can enable these attack vectors and recommends safeguards to help secure your Google Cloud environment.

Technique 1: Create a snapshot

The first lateral movement technique is to abuse the virtual machine's disk snapshot privileges to access the unprivileged instance's disk. These permissions allow users to make copies of existing disks and restore snapshots to new disks.

These are important features for managing backups and recovery points, but if a principal has both of these permissions, they can create a full working copy of the disk under their control. Attaching that disk to your instance gives you access to the contents of the disk that you previously did not have permission to read.

Using this technique can be faster if a snapshot of the disk already exists. An attacker with the Viewer role and appropriate permissions can restore an existing backup to a project they manage instead of creating a snapshot. This means that read access to the target project and restore access to another project is restricted, allowing an attacker to recreate all instances and access data.

This means that snapshot permissions on a disk should be considered permissions to access the disk's core content, even if the user does not have standard access to the instance. . Failure to apply the principle of least privilege to this privilege allows an attacker originally within the organization to access data far beyond the scope of the initial attack.

Execution method

The first step is to take a snapshot of the disk that is part of the inaccessible instance. If you already have a snapshot of the instance that you have read access to, you can skip this step.

