Unexpected GCP API calls indicating VPC network creation
Description
AlphaSOC detected creation of a VPC network in GCP via
compute.networks.insert. Adversaries may create new networks to bypass
security controls such as firewall rules and VPC Service Controls. Resources
deployed in attacker-created networks may not be subject to the same security
policies as production networks.
Impact
Unauthorized VPC networks can enable attackers to deploy resources outside of security controls. These networks may not have appropriate firewall rules, logging, or monitoring. Attackers can use isolated networks to exfiltrate data, host malicious infrastructure, or communicate with command-and-control servers.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the compute.networks.insert action. Identify the
network configuration, associated firewall rules, and the principal responsible.
Check what resources were deployed in the network.
If unauthorized, delete the VPC network after terminating any resources within it. Investigate the compromised identity for additional infrastructure provisioning.