Full Report
A technical overview of Cisco Talos' investigations into Google Cloud Platform Cloud Build, and the threat surface posed by the storage permission family.
Analysis Summary
# Tool/Technique: Google Cloud Build Misuse (Bad.Build Vector)
## Overview
This technique describes the exploitation of Google Cloud Platform's (GCP) Continuous Integration/Continuous Deployment (CI/CD) service, Cloud Build, to execute malicious actions within a GCP project. An adversary leverages the permissions granted to the Cloud Build Service Account (SA) to perform actions like reconnaissance, data exfiltration, or data destruction/manipulation, often achieved by triggering malicious build jobs via repository commits or direct CLI invocation. Orca Security termed the supply chain associated risk as "Bad.Build."
## Technical Details
- Type: Technique/Exploitation Vector
- Platform: Google Cloud Platform (GCP)
- Capabilities: Execution of arbitrary `gcloud` CLI commands as the Cloud Build Service Account, leading to data discovery, data encryption (using controlled keys), and potential supply chain compromise via Artifact Registry manipulation.
- First Seen: Research published around February 2025 (Orca Security and Talos reports).
## MITRE ATT&CK Mapping
- T1078.004 - Valid Accounts: Cloud Accounts
- T1078.004 - Cloud Accounts
- T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain using the compromise of CI/CD pipelines.
## Functionality
### Core Capabilities
- **Command Execution:** Ability to execute any `gcloud` command that the configured Cloud Build Service Account (SA) possesses permissions for.
- **Initial Access via CI/CD:** Triggering malicious builds by committing code or merging pull requests in a configured GitHub repository.
- **Data Management Abuse:** Utilizing permissions like `storage.*` to interact with Cloud Storage without immediate anomalous logging regarding encryption method usage. This includes uploading data encrypted with customer-provided keys that the adversary controls.
### Advanced Features
- **Data Destruction/Ransom Potential:** Encrypting objects in Cloud Storage using customer-provided encryption keys, effectively locking the data from legitimate owners unless versioning/soft delete is disabled or bypassed.
- **Supply Chain Attack Vector:** Modifying application code or deployment artifacts stored in GCP Artifact Registry via malicious build steps (as detailed in Orca Security's research).
- **Reconnaissance:** Using the execution context to discover permission assignments within the GCP project (identified by Orca Security).
## Indicators of Compromise
- File Hashes: [Not applicable as this is a vector utilizing legitimate service functionality]
- File Names: `cloudbuild.yaml` (Modified build configuration file)
- Registry Keys: [Not applicable]
- Network Indicators: [Not explicitly detailed beyond interaction with GCP APIs]
- Behavioral Indicators:
- Cloud Build jobs running actions inconsistent with the stated purpose of the pipeline (e.g., excessive `gcloud storage ls`, `gcloud projects get-iam-policy`, `gcloud storage cp --encryption-key=...`).
- Events of type `storage.objects.create` lacking contextual indicators of customer-provided encryption keys when such behavior is unexpected.
## Associated Threat Actors
- The research describes the *potential* for threat actors to utilize this vector, but no specific threat groups are definitively linked to the techniques described in the Talos/Orca research summaries provided.
## Detection Methods
- **Signature-based detection:** Unlikely, as the attack uses legitimate CLI tools and service APIs.
- **Behavioral detection:** Creating an anomaly model to flag when the default Cloud Build SA performs actions outside its established baseline.
- **YARA rules:** [Not applicable]
## Mitigation Strategies
- **Principle of Least Privilege:** Assigning the Cloud Build SA the lowest necessary privilege set required for its specific environment, minimizing the impact if compromised.
- **CI/CD Configuration Review:** Reviewing repository configurations that trigger Cloud Build.
- **Mandatory Approval:** Requiring manual approval for builds triggered by Pull Requests (PRs).
- **Code Commits:** Avoiding direct code commits to sensitive repositories without forcing traffic through PRs.
- **Storage Hardening:** Enabling **Object Versioning** and **Soft Delete** on Cloud Storage buckets to allow rollback after malicious encryption or deletion attempts.
## Related Tools/Techniques
- `gcloud` CLI: The primary tool used to run commands within the Cloud Build context.
- GitHub `gh` CLI: Tool used in the research environment for repository management, potentially related to Initial Access.
- T1078.004 (Valid Accounts: Cloud Accounts)
- T1195.002 (Supply Chain Compromise: Compromise Software Supply Chain)