Unit 42 uncovers a "double agent" flaw in Google Cloud's Vertex AI, demonstrating how overprivileged AI agents can compromise cloud environments.

Unit42 is a cybersecurity research team known for its  analysis of cyber threats, malware, and cyber attack trends. Through research reports, threat intelligence briefings, and data analysis, Unit42 offers insights into emerging cyber threats and adversary tactics. Readers can learn about threat detection methodologies, vulnerability trends, and cyber attack attribution to enhance their cybersecurity posture and protect their organizations from advanced cyber threats.

Unit 42

Unit 42 researchers discovered a 'double agent' vulnerability in Google Cloud's Vertex AI Agent Engine, where default overprivileged service agent (P4SA) credentials could be exploited to gain unauthorized access to consumer project Cloud Storage buckets, restricted Google-internal Artifact Registry container images (including proprietary Vertex AI Reasoning Engine source code), and sensitive tenant project files. The attack chain involved deploying a malicious AI agent as a pickle file to extract GCP metadata service credentials, then pivoting across project boundaries. Additionally, overly broad OAuth 2.0 scopes by default created latent risk of cross-service access to Google Workspace. Google responded by updating documentation and recommending Bring Your Own Service Account (BYOSA) as a mitigation. The research highlights systemic risks of overprivileged AI agents, insecure pickle serialization, and the need to apply least-privilege principles to AI deployments.

Double Agents: Exposing Security Blind Spots in GCP Vertex AI

From Agent to Storage Admin: Taking Over Consumer Resources

Unauthorized Access to Google's Internals: Downloading Restricted Producer Images

Misconfigured Artifact Registry Exposes Restricted Images

Tenant Project Access Reveals Google's Internal Resources

Beyond the Project: Overly Permissive Scopes and the Threat to Workspace Data