GCP API calls indicating VPC route creation
Description
AlphaSOC detected the creation of a new route in a Google Cloud VPC network. Routes control how traffic flows between subnets and to external networks. Unauthorized route creation may enable traffic interception, redirect traffic through attacker-controlled instances, or facilitate data exfiltration by routing traffic to unmonitored destinations.
Impact
Malicious routes can redirect network traffic through attacker-controlled instances for interception or modification. Routes may also create network paths that bypass security controls or enable lateral movement between otherwise isolated network segments. This technique can be used to establish covert communication channels.
Severity
| Severity | Condition |
|---|---|
Low | VPC route creation by user for first time |
Investigation and Remediation
Review the route configuration including the destination range and next hop. Verify the identity of the user who created the route and confirm the action was authorized. Examine whether the route creates unexpected network paths or bypasses security controls. If unauthorized, delete the route and investigate the user's account for compromise.
Known False Positives
- Legitimate network infrastructure provisioning
- VPN or interconnect configurations
- Multi-region or hybrid cloud networking setups