In recent years, cloud computing platforms like Google Workspace and Google Cloud Platform (GCP) have become integral to business operations, offering a range of tools and services for efficient workflow management. However, with the increasing reliance on these platforms, the concern for their security has also grown. Recent findings from cybersecurity research highlight significant vulnerabilities within these systems, posing serious risks to organizations using these services.
The Threat Landscape
A set of novel attack methods against Google Workspace and GCP has been identified, capable of enabling ransomware, data exfiltration, and password recovery attacks. The main threat arises from the exploitation of Google Credential Provider for Windows (GCPW), a tool designed to streamline access within Google’s ecosystem.
Attack Progression and Methodology
Threat actors have several potential pathways for progressing their attacks:
- Lateral Movement in Cloned Machines: Utilizing cloned VMs with GCPW installed to move across the network.
- Unauthorized Access to Google Cloud Platform: Gaining access through custom permissions.
- Decrypting Locally Stored Passwords: Extending reach beyond the initially compromised machine.
The Role of GCPW
GCPW’s dual role in remote device management and SSO authentication is central to these vulnerabilities. It creates a local service account named GAIA, which is crucial in the authentication process and storing of refresh tokens. These tokens, when compromised, allow attackers to bypass multi-factor authentication and access sensitive data.
Exploits Uncovered
- Golden Image Lateral Movement: A significant risk in environments using VM cloning, where the GAIA account password gets replicated across all cloned VMs.
- Unauthorized Access Token Request: The potential for attackers to use OAuth tokens to request new Access Tokens with broad permissions, bypassing security measures like MFA.
- Plaintext Password Recovery: An exploit allowing attackers to decrypt user passwords, leading to a complete account takeover.
Additional Design Flaw in Workspace
Cybersecurity researchers also detailed a severe design flaw in Google Workspace’s domain-wide delegation feature. This flaw could enable privilege escalation and unauthorized access to Workspace APIs, affecting services like Gmail and Google Drive.
Google’s Response and Security Implications
Google has recognized the validity of these methods but stated they fall outside their designated threat model. The company’s response highlights a complex challenge in cloud security: balancing evolving threat landscapes with realistic threat models and user practices.
Reference
https://thehackernews.com/2023/11/hackers-could-exploit-google-workspace.html