“At issue are identities that lack registry permissions but that have edit permissions on Google Cloud Run revisions. The vulnerability could have allowed such an identity to abuse its Google Cloud Run revision edit permissions in order to pull private Google Artifact Registry and Google Container Registry images in the same account,” – Tenable Research
The vulnerability dubbed ImageRunner was reported to Google and fixed on January 28, 2025.
Tenable Research experts call ImageRunner an example of the Jenga concept: multiple cloud services are closely interrelated, which inevitably creates severe risks.
“Cloud providers build their services on top of their other existing services. Sometimes they create “hidden services.” If one service gets attacked or is compromised, the other ones built on top of it inherit the risk and become vulnerable as well. This scenario opens the door for attackers to discover novel privilege escalation opportunities and even vulnerabilities, and introduces new hidden risks for defenders,” – Tenable Research.
Google Cloud Run is a fully managed platform that enables you to run containerized applications in a scalable serverless environment on top of Google’s infrastructure. Container images are pulled from Artifact Registry (or Docker Hub) for subsequent deployment by specifying an image URL.
As said above, some accounts don’t have access to Container Registry, but can edit Google Cloud Run revisions. Every time a Cloud Run service is deployed or updated, a new version is created. And every time a Cloud Run revision is deployed, a service account is used to pull the required images.
“If an attacker gains certain permissions within a victim’s project – specifically run.services.update and iam.serviceAccounts.actAs permissions – they could modify a Cloud Run service and deploy a new revision. In doing so, they could specify any private container image within the same project for the service to pull,” – Tenable Research.
Attackers can access sensitive or proprietary images stored in a victim’s registries and inject malicious instructions to extract secrets, steal sensitive data, or even start a reverse shell.
The patch released by Google ensures that any user or service account creating or updating Cloud Run has explicit permission to access container images.
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →