Cybercriminals could take advantage of the “insufficient” visibility forensics in the Google Cloud Platform (GCP extension) to snatch sensitive data, according to new research.

“Unfortunately, GCP does not provide the level of visibility into its archiving logs necessary to enable any effective forensic investigation, blinding organizations to potential data exfiltration attacks“, has declared the Mitiga company in a report.

How does the Google Cloud Platform attack work?

The attack is based on the assumption that the attacker (the hacker) is capable of taking control of an identity and access management entity (IAM) within the targeted organization through methods such as social engineering to access the GCP environment.

The core of the problem is that Google Cloud Platform storage access logs do not provide the appropriate transparency regarding possible file access and read events, grouping them all as a single “Object Get” activity.

“The same event is used for a variety of access types, including: reading a file, downloading a file, copying a file to an external server, reading file metadata“said Mitiga researcher Veronica Marinov regarding the Google Cloud Platform affair.

This lack of distinction could allow an attacker to collect sensitive data undetected, mainly because there is no way to differentiate between malicious and legitimate user activity.

In a hypothetical attackan attacker can use the Google command line interface (gsutil) to transfer valuable data from the victim organization’s storage buckets to an external storage bucket within the attacker’s organization.

Google has subsequently provided recommendations on how to avoid the problem, ranging from checks of the Virtual Private Cloud service (VPC) to using organization restriction headers to limit requests for cloud resources.

Disclosure comes while Sysdig uncovered a sophisticated campaign of a named attack series SCARLETEEL that targets “lockdown” environments to perpetrate the theft of proprietary data and software.