GCP Service Accounts are interesting cloud identities. Let's review how they contributed to a Cryptocurrency Mining Attack in this Case.

_____________

🧬 EPISODE RESOURCES

🔹How A Compromised AWS Lambda Function Led to a Phishing Attack

🔹GCP Lateral Movement & PrivEsc

🔹GCP Service Accounts

🔹 DEFCON 30 Cloud Village - Weather Proofing GCP Defaults

🔹GCP IAM basic and predefined roles reference

_____________

⏰ TIMESTAMPS

00:00 How GCP Service Accounts Work

02:12 Initial Access - Stolen Service Account Credentials

02:52 Attack Flow

03:33 Privilege Escalation - Permission Upgrades

03:50 Detection Opportunity 1

04:04 Defense Evasion - Firewall Rule Modification

05:19 Detection Opportunity 2

05:38 1,600 VMs created during attack

05:51 Persistence - New Token Creations

06:16 Final Thoughts

_____________

⚡️⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠

📰 ⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠

🥶 ⁠CYBERWOX MERCH⁠

_____________

🧬 CYBERWOX RESOURCES

🔹 ⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠

🔹 ⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠

🔹 ⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠

_____________

📱 LET'S CONNECT

→ ⁠⁠IG⁠⁠

→ ⁠⁠Threads⁠⁠

→ ⁠⁠Substack⁠⁠

→ ⁠⁠Twitter⁠⁠

→ ⁠⁠Linkedin⁠⁠

→ ⁠⁠Tiktok⁠⁠

Email: [email protected]

_____________

⚠️DISCLAIMER

This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!

Email: [email protected]