Suspicious GCP API calls indicating Cloud Run service creation
Description
AlphaSOC detected the creation of a new Google Cloud Run service. Cloud Run allows deployment of containerized applications that run on demand. Attackers may deploy malicious services for persistence, cryptomining, or command and control operations.
Impact
Unauthorized Cloud Run services can execute malicious code within your GCP environment. Attackers may deploy cryptominers to consume compute resources, establish command and control infrastructure, or create backdoors for persistent access. Cloud Run services can also be used to exfiltrate data or pivot to other resources using the service's identity.
Severity
| Severity | Condition |
|---|---|
Informational | Cloud Run service created |
Low | Cloud Run service created with anomalous behavioral patterns |
Medium | Cloud Run service created in suspicious context |
Investigation and Remediation
Review GCP audit logs for the google.cloud.run.v1.Services.CreateService
action to identify who created the service and examine the container image being
deployed. Verify the service was created by authorized personnel for a
legitimate purpose.
If unauthorized, immediately delete the Cloud Run service and revoke the credentials used to create it. Investigate the container image for malicious content. Review billing and usage data for any cryptomining or unusual resource consumption.
Known False Positives
- Legitimate application deployments by development teams
- CI/CD pipelines deploying new services