GCP API calls indicating Cloud Run service modification
Description
AlphaSOC detected modifications to an existing Google Cloud Run service. Attackers may modify existing services to inject malicious code, change configurations, or replace container images with compromised versions.
Impact
Modified Cloud Run services can execute attacker-controlled code while appearing to be legitimate applications. Attackers may inject backdoors, modify application logic to exfiltrate data, or change environment variables to capture credentials.
Severity
| Severity | Condition |
|---|---|
Informational | Cloud Run service modified |
Low | Cloud Run service modified with anomalous behavioral patterns |
Medium | Cloud Run service modified in suspicious context |
Investigation and Remediation
Review GCP audit logs for the Cloud Run ReplaceService action to identify who
modified the service and what changes were made. Compare the current container
image with previous versions to identify unauthorized modifications.
If unauthorized, roll back the service to a known good revision and investigate the source of the compromise. Review the container image for malicious content and audit any data processed by the service during the compromise period.
Known False Positives
- Regular application updates and deployments
- CI/CD pipelines updating services
- Configuration changes for scaling or performance