Unexpected GCP API calls indicating DNS zone modification
Description
AlphaSOC detected modification or deletion of a GCP Cloud DNS managed zone via
dns.managedZones.delete or dns.managedZones.patch. DNS zones control domain
name resolution for the organization's domains.
Adversaries may modify DNS zones to redirect traffic to attacker-controlled servers, enabling phishing, credential theft, or man-in-the-middle attacks. Zone deletion causes DNS resolution failures, resulting in service outages.
Impact
DNS zone modifications can redirect legitimate traffic to malicious infrastructure, enabling credential theft, data interception, or malware delivery. Zone deletion causes immediate DNS resolution failures for all records in the zone, resulting in widespread service disruption.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the dns.managedZones.delete or
dns.managedZones.patch actions. Identify what changes were made and the
principal responsible.
If unauthorized, restore the DNS zone configuration from backup or recreate deleted zones. Review DNS records for unauthorized modifications. Investigate any traffic that may have been redirected during the incident. Rotate credentials for the compromised identity.