Persistence refers to the ability of an attacker to maintain access to a compromised system or network over an extended period of time. In the context of Google Cloud Platform (GCP), persistence techniques are used to maintain unauthorized access to GCP resources.

지속성은 공격자가 오랜 기간 동안 침투된 시스템이나 네트워크에 대한 접근을 유지하는 능력을 말합니다. Google Cloud Platform (GCP)의 경우, 지속성 기술은 GCP 리소스에 대한 무단 액세스를 유지하기 위해 사용됩니다.

Table of Contents

• Backdoors

• Service Account Abuse

• IAM Privilege Escalation

• Metadata Server Exploitation

• Data Exfiltration

Backdoors

A backdoor is a hidden method of bypassing normal authentication mechanisms to gain unauthorized access to a system. In GCP, backdoors can be created using various techniques such as:

• SSH Keys: An attacker can add their own SSH public key to a GCP instance, allowing them to authenticate without a password.

• Startup Scripts: By modifying the startup script of a GCP instance, an attacker can execute arbitrary commands or install malicious software during the boot process.

• Custom Images: An attacker can create a custom image with a backdoor embedded in it, and then use that image to launch new instances with the backdoor already present.

Service Account Abuse

Service accounts are special accounts used by applications and services to authenticate with GCP APIs. If an attacker gains access to a service account, they can abuse its privileges to perform unauthorized actions. Some techniques for service account abuse include:

• Key Compromise: If an attacker obtains the private key associated with a service account, they can use it to authenticate as that service account and perform actions on behalf of the account.

• Impersonation: By modifying the IAM policies of a service account, an attacker can grant themselves additional privileges or impersonate other users or service accounts.

• Token Theft: If an attacker gains access to a service account's access token, they can use it to authenticate as that service account and perform actions on behalf of the account.

IAM Privilege Escalation

IAM (Identity and Access Management) is the service that controls access to GCP resources. Privilege escalation refers to the act of gaining higher levels of access than originally granted. In GCP, some techniques for IAM privilege escalation include:

• Role Impersonation: By modifying the IAM policies of a user or service account, an attacker can grant themselves higher-level roles or impersonate other users or service accounts with higher privileges.

• Privilege Elevation: If an attacker gains access to a user or service account with limited privileges, they can attempt to escalate their privileges by exploiting misconfigurations or vulnerabilities in GCP IAM.

Metadata Server Exploitation

The metadata server is a service provided by GCP that allows instances to access metadata about themselves and the project they belong to. Exploiting the metadata server can provide an attacker with valuable information or even allow them to execute arbitrary code on the instance. Some techniques for metadata server exploitation include:

• Metadata Injection: By injecting malicious metadata into an instance, an attacker can trick the instance into performing unintended actions or leaking sensitive information.

• Metadata Service API Abuse: The metadata service API can be abused to retrieve sensitive information or execute commands on the instance by making unauthorized API requests.

Data Exfiltration

Data exfiltration refers to the unauthorized extraction of data from a system or network. In GCP, an attacker can exfiltrate data by:

• Copying Data: An attacker can copy sensitive data from GCP storage buckets or databases to an external location under their control.

• Leaking Data: By exploiting misconfigurations or vulnerabilities in GCP services, an attacker can leak sensitive data to the public internet or other unauthorized entities.

References

• Google Cloud Platform Documentation

• Google Cloud Platform Security Best Practices