IAM Concerned: OAuth Token Hijacking in Google Cloud (GCP)

Presented at Black Hat Europe 2020 Virtual, Dec. 9, 2020, 2:20 p.m. (40 minutes)

<span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Imagine you've protected your production Google Cloud environment from compromised credentials, using MFA and a hardware security key. However, you find that your GCP environment has been breached through hijacking of OAuth session tokens cached by gcloud access. Tokens were exfiltrated and used to invoke API calls from another host. The tokens were refreshed by the attacker and did not require MFA. Detecting the breach via Strackdriver was confusing, slowing incident response. <span style="background-color: initial;" data-mce-style="background-color: initial;">And there are multiple confusing options to revoking the active OAuth sessions and most do not work, causing further delays in remediation.</span></span><br><br><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">This talk will demonstrate a compromised credential attack in Google Cloud Platform by:</span><br><ul><li><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">hijacking cached OAuth tokens stored on a GCP administrator's client machine and</span></li><li><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">reusing existing gcloud CLI sessions to gain access to multiple GCP environments</span></li><li>showing that MFA does not apply to OAuth token refreshes for cached credentials (only the initial login)</li></ul><br>We will then discuss various approaches and challenges to defending:<br><br>Prevention<br>MFA is not required to refresh the OAuth token. Google cloud session timeout (GSuite Admin) is effective and should be set. IP whitelisting (using VPC Service Controls and Access Context Manager) should be used but is not well understood. Explicit client-side revocation of cached accounts by the user can help but is manual and unreliable.<br><br>Detection <br>OAuth token values are not logged in Stackdriver logging, nor in G Suite Audit logs, meaning that suspicious behavior can be tracked to the account but not the token itself, causing more confusion during incident response, as well as limiting remediation options.<br><br>Remediation<br>OAuth tokens can be revoked, but there are multiple options, some of which are not useful/effective as they do not affect API/CLI sessions or require an OAuth token, which is not logged.

Presenters:

• Jenko Hwong - Security Researcher, Netskope, Inc.
  Jenko Hwong is on the Threat Research Team at Netskope, focusing on cloud threats/vectors. He's spent time in engineering and product roles at various security startups in vulnerability scanning, AV/AS, pen-testing/exploits, L3/4 appliances, threat intel, and Windows security.

Links:

• https://www.blackhat.com/eu-20/briefings/schedule/#iam-concerned-oauth-token-hijacking-in-google-cloud-gcp-21290

Similar Presentations:

• Black Hat Europe 2018 / The Mummy 2018 – Microsoft Accidentally Summons Back Ugly Attacks from the Past
• Black Hat Europe 2020 Virtual / Circumventing the Guardians: How the Security Features in State-of-the-Art TLS Inspection Solutions can be Exploited for Covert Data Exfiltration
• Black Hat USA 2019 / Biometric Authentication Under Threat: Liveness Detection Hacking