Can AI Attack the Cloud? Lessons From Building an Autonomous Cloud Offensive Multi-Agent System

Key Takeaways

• Autonomous AI agents can successfully chain cloud misconfigurations (SSRF, IAM, metadata services) to achieve end-to-end exploitation at machine speed.
• The 'Zealot' PoC utilizes a supervisor-agent architecture to maintain state and coordinate specialized agents (Infrastructure, AppSec, CloudSec).
• AI acts as a force multiplier in offensive security, rapidly exploiting existing misconfigurations rather than necessarily creating new attack surfaces.
• The window between initial access and data exfiltration is drastically shrinking, requiring defenders to adopt automated, AI-driven detection and response.

Affected Systems

• Google Cloud Platform (GCP)
• Cloud IAM
• Cloud Metadata Services
• BigQuery

Vulnerabilities (CVEs)

• Server-Side Request Forgery (SSRF)

Attack Chain

The attack begins with the Infrastructure Agent performing network reconnaissance, discovering a peered VPC and an exposed web application. The Application Security Agent then exploits an SSRF vulnerability in the web app to access the GCP Instance Metadata Service and extract a service account token. Using this token, the Cloud Security Agent enumerates IAM permissions and BigQuery datasets, creates a new storage bucket for exfiltration, and escalates its privileges to storage.objectAdmin to successfully exfiltrate the sensitive data.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Cortex XDR, Cortex Cloud

Palo Alto Networks provides behavioral analytics and BIOC alerts within Cortex XDR, XSIAM, and Cortex Cloud to detect cloud infrastructure enumeration, unusual IMDS access, and IAM enumeration.

Detection Engineering Assessment

EDR Visibility: Medium — While host-based agents can detect network scanning (nmap) and outbound API calls (curl), the core of the attack relies on cloud API interactions and IAM abuse which are better monitored via cloud control plane logs. Network Visibility: High — Network sensors and VPC flow logs can detect the internal scanning, SSRF exploitation, and unusual traffic to the metadata service (169.254.169.254). Detection Difficulty: Moderate — The individual actions (SSRF, IAM enumeration) are well-known and detectable, but the machine speed of the AI agent requires automated, real-time correlation to prevent the attack before exfiltration occurs.

Required Log Sources

• Cloud Audit Logs (GCP)
• VPC Flow Logs
• Web Application Firewall (WAF) logs
• Host network logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unusual or high-volume access to the cloud instance metadata service (169.254.169.254) from web application backend servers, indicating potential SSRF.	VPC Flow Logs, Host Network Logs	Credential Access	Low
Monitor for service accounts performing broad IAM or infrastructure enumeration (e.g., listing BigQuery datasets or storage buckets) outside their normal baseline.	Cloud Audit Logs	Discovery	Medium
Detect self-assignment of elevated privileges (e.g., storage.objectAdmin) by a service account to a newly created storage bucket.	Cloud Audit Logs	Privilege Escalation	Low

Control Gaps

• Lack of IMDSv2 enforcement (or equivalent metadata protection)
• Overly permissive service account roles
• Missing network segmentation between peered VPCs

Key Behavioral Indicators

• Rapid sequence of cloud API calls spanning discovery, privilege escalation, and exfiltration
• Internal port scanning originating from a cloud workload
• Creation of a new storage bucket followed immediately by data export and IAM policy modification

False Positive Assessment

• Medium (Legitimate administrative scripts or infrastructure-as-code deployments may exhibit similar rapid API call sequences and IAM modifications, requiring baseline tuning).

Recommendations

Immediate Mitigation

• Audit and restrict access to the Instance Metadata Service (e.g., require metadata headers/IMDSv2).
• Review service account permissions and enforce the principle of least privilege.

Infrastructure Hardening

• Implement strict network segmentation and restrict traffic across peered VPCs.
• Deploy Cloud Security Posture Management (CSPM) to continuously monitor for IAM and storage misconfigurations.

User Protection

• N/A

Security Awareness

• Train security operations teams on the compressed timelines of AI-driven attacks and the need for automated response playbooks.

MITRE ATT&CK Mapping

• T1580 - Cloud Infrastructure Discovery
• T1526 - Cloud Service Discovery
• T1552.005 - Unsecured Credentials: Cloud Instance Metadata API
• T1087 - Account Discovery
• T1069 - Permission Groups Discovery
• T1078.004 - Valid Accounts: Cloud Accounts
• T1548.005 - Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access
• T1199 - Trusted Relationship
• T1619 - Cloud Storage Object Discovery
• T1537 - Transfer Data to Cloud Account
• T1190 - Exploit Public-Facing Application

Additional IOCs

• Ips:
  • 10[.]0[.]2[.]1 - IP address probed during internal network reconnaissance.
  • 10[.]0[.]2[.]3 - IP address probed during internal network reconnaissance.
  • 10[.]0[.]2[.]4 - IP address probed during internal network reconnaissance.
  • 10[.]0[.]2[.]5 - IP address probed during internal network reconnaissance.
• Command Lines:
  • Purpose: Internal network probing to discover active hosts. | Tools: ping | Stage: Reconnaissance | ping -c 2 10.0.2.2
  • Purpose: Port scanning to identify exposed services on discovered hosts. | Tools: nmap | Stage: Reconnaissance | nmap -sV -p- 10.0.2.2 --min-rate 1000
  • Purpose: Modifying IAM policy on a GCP storage bucket to grant objectAdmin privileges. | Tools: curl, GCP API | Stage: Privilege Escalation
• Other:
  • vpc-b-instance-sa@xdr-analytics.iam.gserviceaccount.com - Compromised GCP service account used for enumeration and privilege escalation.
  • xdr-analytics-exfil - GCP storage bucket created by the agent for data exfiltration.