Unexpected GCP API calls indicating Pub/Sub subscription modification
Description
AlphaSOC detected modifications to a Google Cloud Pub/Sub subscription via
google.pubsub.v1.Subscriber.UpdateSubscription. Pub/Sub subscriptions control
message delivery and can route data to external endpoints. Attackers may modify
subscriptions to redirect messages to attacker-controlled destinations for data
exfiltration or to disrupt message flow between services.
Impact
Compromised Pub/Sub subscriptions can redirect sensitive application data and messages to external locations. Push endpoint modifications may send data to attacker-controlled servers. Changes to delivery policies may cause message loss or delays, disrupting dependent services and potentially masking malicious activity.
Severity
| Severity | Condition |
|---|---|
Informational | GCP API calls indicating Pub/Sub subscription modification |
Low | Unexpected GCP API calls indicating Pub/Sub subscription modification |
Medium | Suspicious GCP API calls indicating Pub/Sub subscription modification |
Investigation and Remediation
Review the specific changes made to the subscription configuration. Verify the identity of the user who made the modifications and confirm the action was authorized. Examine push endpoint URLs to ensure they point to legitimate internal services. If unauthorized changes are detected, revert the configuration and investigate potential data exfiltration.
Known False Positives
- Legitimate updates to message delivery configurations
- Scaling adjustments or performance tuning
- Migration of subscriber services to new endpoints