Private images are restricted and require authentication to access. They are used to store proprietary applications, configurations, or sensitive code.
The worker, aka service agent, “is a special type of service account created and managed by Google Cloud,” said Liv Matan, senior security researcher at Tenable. “If an attacker gains certain permissions within a victim’s project – specifically run.services.update and iam.serviceAccounts.actAspermissions – they could modify a Cloud Run service and deploy a new revision.“
In doing so, they could specify (through malicious code injection) any private container image stored in a victim’s registries, Matan added.