Google Cloud’s security model in many ways is quite different from AWS. Spark jobs, Cloud Functions, Jupyter Notebooks, and more default to having administrative capabilities over cloud API’s. Instead of defaulting to no capabilities, permissions are granted to default identities. One default permission these identities have is called actAs, which allows a service by default to assume the identity of every service account in its project; many of which typically have role bindings into other projects and across an organization’s resources.
In this talk, we’ll demonstrate several techniques to perform identity compromise via the ActAs permission, privilege escalation, lateral movement, and widespread project compromise in Google Cloud. We will also release tools for exploitation.
By Dylan Ayrey & Allison Donovan
Full Abstract & Presentation Materials: https://www.blackhat.com/us-20/briefings/schedule/#lateral-movement-and-privilege-escalation-in-gcp-compromise-any-organization-without-dropping-an-implant-19435