Unexpected GCP API calls indicating Pub/Sub subscription creation
Description
AlphaSOC detected creation of a GCP Pub/Sub subscription via
google.pubsub.v1.Subscriber.CreateSubscription. Adversaries may create
subscriptions to intercept or collect data flowing through Pub/Sub topics. This
can be used for data exfiltration, credential harvesting from message streams,
or establishing covert communication channels.
Impact
Unauthorized subscriptions can enable attackers to read all messages published to a topic, potentially exposing sensitive data, application events, or system notifications. Attackers may use this to intercept credentials, access tokens, or business data flowing through messaging infrastructure.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the CreateSubscription action. Identify which topic
the subscription is connected to, the subscription configuration, and the
principal responsible.
If unauthorized, immediately delete the subscription to stop message delivery. Review the topic for sensitive data that may have been exposed. Investigate the compromised identity for additional data collection activities. Implement IAM policies to restrict subscription creation permissions.