- '코트 안팎에서 데이터와 AI 활용하기'··· NBA팀 올랜도 매직의 디지털 여정
- Phone theft is on the rise - 7 ways to protect your device before it's too late
- 최형광 칼럼 | 데이터는 더 이상 정제되지 않는다
- New Intel Xeon 6 CPUs unveiled; one powers rival Nvidia’s DGX B300
- First $1B business with one human employee will happen in 2026, says Anthropic CEO
Flaw in Google Cloud Functions Sparks Broader Security Concerns
A potential privilege escalation flaw affecting Google Cloud Platform (GCP) Cloud Functions and its Cloud Build service has been identified and investigated by security researchers.
The issue, initially discovered by Tenable Research, allowed attackers to exploit the deployment process of GCP Cloud Functions to gain elevated permissions.
Google has since issued a patch to mitigate the excessive privileges previously granted to default Cloud Build service accounts.
Attack Technique Repurposed Across Cloud Environments
Cisco Talos recently expanded upon Tenable’s findings by replicating the attack technique and testing its impact across multiple cloud platforms.
Researchers set up a Debian server in GCP with Node Package Manager (NPM) and Ngrok, using a malicious package.json file to extract tokens and simulate an attack. They confirmed that Google’s patch has neutralized the original privilege escalation vector.
However, Talos demonstrated that the same approach could be adapted to perform environment enumeration – a reconnaissance tactic useful for mapping systems – even without privileged access.
By deploying the altered package.json in AWS Lambda and Azure Functions, Talos verified the tactic’s broader applicability across cloud services.
Enumeration Techniques Observed
The research highlighted several enumeration methods attackers could use to gather valuable system and network information:
- ICMP discovery for network mapping
- Detection of .dockerenv files to confirm containerized environments
- CPU scheduling checks to identify init systems
- Container ID and mount point analysis for potential escape techniques
- Operating system and kernel detail extraction
- User and permission scans to aid privilege escalation
- Network traffic analysis for vulnerability assessment
These techniques can be deployed without privileged credentials, making them viable in various scenarios where service accounts are correctly limited.
Google Responds and Mitigation Measures Advised
Following Tenable’s report, Google modified Cloud Build’s behavior and added new policies for more granular service account control. Talos verified that exfiltration of service account tokens using this method is no longer feasible in GCP.
To defend against similar threats, organizations are advised to:
- Enforce the principle of least privilege for all service accounts
- Regularly audit and monitor permissions
- Alert on unexpected Cloud Function modifications
- Inspect outgoing traffic for signs of exfiltration
- Validate the integrity of external NPM packages
Though Google has addressed the original flaw, the research underscores the persistent risk posed by overly permissive configurations and the importance of continuous security monitoring across cloud environments.
Image credit: Algi Febri Sugita / Shutterstock.com
