Mitiga said today that their researchers have found a "significant forensic difficulty in Google Workspace."
Google Workspace issue reported.
Mitiga released a comprehensive report regarding a “significant forensic deficiency in Google Workspace.” This deficiency allows threat actors to exfiltrate data using Google Drive with no trace. The problem lies in the fact that Google Drive logs, which would allow these activities to be traced, are only active in its premium service “Google Workspace Enterprise Plus.” If an organization is not paying for the service, or an employee is not using a paid license, then the logs remain inactive allowing threat actors to move data without notice.
“Significant forensic discrepancy” in Google Workspace.
Mitiga writes “All users can access the Workspace and complete actions with the files inside their private company drive. They simply do so without generating any logs, making organizations blind to potential data manipulation and exfiltration attacks. When incidents occur, this standard prevents organizations from efficiently responding, as they have no chance to correctly assess what data has been stolen or whether it has been stolen at all.” Mitiga has alerted Google to this discrepancy but, as of the publishing of their report, Google had not yet responded.
Scenarios in which this could be exploited.
If an employee’s account is compromised then a threat actor, using admin privileges, can export their license to a different account leaving only a “Admin Log Event” showing the license revocation and new assignment. Additionally, if an employee is operating without a paid license then the threat actor can just move documents from their private drive with no trace. Users without a paid license can still view shared files which would allow a threat actor to copy the documents and data and download it with no logs to show that it occurred.
Mitigations and detection.
A simple way to prevent this from being exploited would be to make sure that all licenses used by employees are of the paid variety. This can be difficult for companies when they are offloading employees and wish to remove the member’s write access to shared drives. Mitiga explains that one clear indicator that an employee’s account is compromised is the rapid revocation and assignment of an employee’s license. Mitiga recommends regularly searching for this activity as it could be an indicator of a compromised account. Additionally, they write “It is crucial for organizations to follow the common effective techniques for identifying and mitigating security threats and to update their techniques to address emerging threats. Focusing solely on significant downloads may not be enough to detect all potential security breaches. Monitoring events such as license revocation and assignment are critical for finding potential threats. In addition, organizations must recognize the growing importance of monitoring "source_copy" events in their threat hunting efforts.”