Suspicious GCP API calls indicating VPC route creation
Description
AlphaSOC detected the creation of a new route in a Google Cloud VPC network via
v1.compute.routes.insert. Routes control how traffic flows between subnets and
to external networks. Unauthorized route creation may enable traffic
interception, redirect traffic through attacker-controlled instances, or
facilitate data exfiltration by routing traffic to unmonitored destinations.
Impact
Malicious routes can redirect network traffic through attacker-controlled instances for interception or modification. Routes may also create network paths that bypass security controls or enable lateral movement between otherwise isolated network segments. This technique can be used to establish covert communication channels.
Severity
| Severity | Condition |
|---|---|
Informational | GCP API calls indicating VPC route creation |
Low | Unexpected GCP API calls indicating VPC route creation |
Medium | Suspicious GCP API calls indicating VPC route creation |
Investigation and Remediation
Review the route configuration including the destination range and next hop. Verify the identity of the user who created the route and confirm the action was authorized. Examine whether the route creates unexpected network paths or bypasses security controls. If unauthorized, delete the route and investigate the user's account for compromise.
Known False Positives
- Legitimate network infrastructure provisioning
- VPN or interconnect configurations
- Multi-region or hybrid cloud networking setups