Google Cloud Security Breach Incident Score: Analysis & Impact (GOO4332743111025)

In this Rankiteo incident briefing, we review the Google Cloud Security breach identified under incident ID GOO4332743111025.

The analysis begins with a detailed overview of Google Cloud Security's information like the linkedin page: https://www.linkedin.com/company/googlecloudsecurity, the number of followers: 50322, the industry type: Computer and Network Security and the number of employees: 464 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 210 and after the incident was 100 with a difference of -110 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Google Cloud Security and their customers.

On 01 May 2024, Google (Gmail Users) disclosed Social Engineering, Credential Stuffing and Phishing issues under the banner "Google Warns of Rising Scams and AI Misuse, Urges Gmail Users to Adopt Passkeys Over Passwords".

Google is urging Gmail users to transition from passwords to passkeys due to escalating global scam threats and AI misuse by organized crime groups, including Chinese gangs targeting mobile users with malicious texts.

The disruption is felt across the environment, and exposing 394 million unique Gmail addresses and 183 million Gmail passwords (via infostealer malware), with nearly 394000000 records at risk.

In response, moved swiftly to contain the threat with measures like Promotion of Passkey Adoption and Tightened Monitoring of Password-Based Sign-Ins, and began remediation that includes Encouraging Users to Delete Passwords, Replacing 2SV with Passkeys and Advanced Protection Program Integration, and stakeholders are being briefed through Public Advisory via Media (e.g., Fast Company), Blog Posts and User Notifications.

The case underscores how Ongoing (No direct breach; proactive mitigation), teams are taking away lessons such as Password-based authentication remains a critical vulnerability, especially for SSO providers, AI tools are amplifying the scale and sophistication of scam campaigns and User education on phishing and credential hygiene is insufficient to counter organized crime groups, and recommending next steps like Transition entirely to passkeys for Google Accounts, Disable password fallback options where possible and Implement stricter password policies for third-party services using Google SSO, with advisories going out to stakeholders covering Users advised to enable passkeys and review account activity for unauthorized access.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing Attachment (T1566.001) with moderate to high confidence (85%), with evidence including phishing Emails, Malicious Text Messages (Smishing) listed under attack_vector, and 86% of web application attacks leveraging stolen credentials for initial access, Phishing: Spearphishing Link (T1566.002) with high confidence (90%), with evidence including entry point such as Phishing Links under initial_access_broker, and fraudulent pop-ups listed in attack_vector, Valid Accounts: Cloud Accounts (T1078.004) with high confidence (95%), with evidence including 183 million Gmail passwords exposed via infostealer malware, and compromised Google accounts enable cascading attacks on linked services, and Phishing: Spearphishing via Service (T1566.003) with moderate to high confidence (80%), with evidence including imposter Calls listed under attack_vector, and 57% of adults experiencing scams (23% losing money). Under the Credential Access tactic, the analysis identified Credentials from Password Stores: Credentials from Web Browsers (T1555.003) with high confidence (95%), with evidence including 183 million Gmail passwords were exposed via infostealer malware, and infostealer malware listed under attack_vector, Gather Victim Identity Information: Credentials (T1589.001) with high confidence (90%), with evidence including 394 million unique Gmail addresses in breached credential datasets, and data sold on dark web such as Yes (394M credentials compiled), and Brute Force: Password Guessing (T1110.001) with moderate to high confidence (75%), with evidence including credential Stuffing listed under type, and 86% of web attacks leveraging stolen credentials. Under the Persistence tactic, the analysis identified Account Manipulation: Additional Cloud Credentials (T1098.003) with moderate to high confidence (85%), with evidence including compromised Google accounts enable cascading attacks on linked services, and sSO powering 90% of top websites. Under the Defense Evasion tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with high confidence (90%), with evidence including reused credentials pose severe risks due to SSO dominance, and valid accounts implied by stolen credentials for bypassing authentication. Under the Lateral Movement tactic, the analysis identified Use Alternate Authentication Material: Application Access Token (T1550.001) with moderate to high confidence (80%), with evidence including google SSO used across 39% of top websites, and cascading attacks on linked services (e.g., financial institutions). Under the Collection tactic, the analysis identified Email Collection: Remote Email Collection (T1114.002) with high confidence (90%), with evidence including 394 million unique Gmail addresses in breached credential datasets, and data exfiltration such as Yes (via infostealer malware). Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with moderate to high confidence (85%), with evidence including 183 million Gmail passwords exposed via infostealer malware, and data sold on dark web such as Yes and Automated Exfiltration: Traffic Duplication (T1020.001) with moderate to high confidence (75%), with evidence including aI tools amplifying scale of scam campaigns, and 394M credentials compiled in breach datasets suggests automated collection. Under the Impact tactic, the analysis identified Malicious Services: Phishing as a Service (T1659) with moderate to high confidence (80%), with evidence including transnational crime groups, including Chinese organized gangs, and aI tools to scale phishing attacks, Data Encrypted for Impact (T1486) with lower confidence (30%), supported by evidence indicating no direct evidence, but implied by financial fraud and downstream breaches, and Identity Theft (T1657) with high confidence (95%), with evidence including identity theft risk such as High (Due to exposed credentials and SSO risks), and personally identifiable information such as Yes (Email addresses + passwords). These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.