Hackers Abuse AWS CloudTrail and Google Cloud

Overview Cloud logging services — the very tools meant to protect cloud environments — are now being weaponized by attackers. Researchers from Unit 42 have documented how threat actors are abusing AWS CloudTrail and Google Cloud Logging to evade detection and exfiltrate logs, turning visibility systems into blind spots for security teams. The New Target: Cloud Logging Infrastructure As organizations shift to cloud computing, services like CloudTrail and Cloud Logging record every API call, resource change, and user action — forming the core of cloud auditing and incident response. But that same visibility makes them a high‑value target. An attacker who can tamper with logs can move undetected, erase evidence, or even spy on the victim’s environment in real time. Platform Logging Service Purpose AWS CloudTrail Tracks API calls and resource changes Google Cloud Cloud Logging Records user actions and system events Two Attack Models Identified Unit 42 researchers outlined two distinct attack patterns: When logs are missing or altered, tools like SIEM, SOAR, and CSPM go blind — leaving attackers free to escalate privileges and exfiltrate data without detection. Defense Evasion Techniques Attackers use multiple methods to silence or poison cloud logs: Technique AWS Method Google Cloud Equivalent Stop Logging stop‑logging API call halts writes to S3 bucket Disable sink to stop log delivery […]