GCP API calls indicating Pub/Sub subscription modification
Description
AlphaSOC detected modifications to a Google Cloud Pub/Sub subscription. Pub/Sub subscriptions control message delivery and can route data to external endpoints. Attackers may modify subscriptions to redirect messages to attacker-controlled destinations for data exfiltration or to disrupt message flow between services.
Impact
Compromised Pub/Sub subscriptions can redirect sensitive application data and messages to external locations. Push endpoint modifications may send data to attacker-controlled servers. Changes to delivery policies may cause message loss or delays, disrupting dependent services and potentially masking malicious activity.
Severity
| Severity | Condition |
|---|---|
Low | Pub/Sub subscription modification by user for first time |
Investigation and Remediation
Review the specific changes made to the subscription configuration. Verify the identity of the user who made the modifications and confirm the action was authorized. Examine push endpoint URLs to ensure they point to legitimate internal services. If unauthorized changes are detected, revert the configuration and investigate potential data exfiltration.
Known False Positives
- Legitimate updates to message delivery configurations
- Scaling adjustments or performance tuning
- Migration of subscriber services to new endpoints