Attackers are at all times searching for new methods to increase their entry inside company networks as soon as they hack right into a machine or a person account. Latest analysis by safety agency Bitdefender reveals how attackers can acquire entry to Google Workspace and Google Cloud companies by stealing entry tokens and even plaintext passwords from compromised Home windows methods which have the Google Credential Supplier for Home windows (GCPW) software deployed. These credentials can be utilized in numerous assault situations to steal cloud-hosted information or to maneuver laterally to different accounts and methods inside a community.
Whereas organizations may monitor their Energetic Listing (AD) environments for identified lateral motion strategies which have change into a staple of assaults by each state-sponsored cyberespionage teams and ransomware gangs, they will have a blind spot in the case of cloud-based companies which are more and more built-in with native networks as a part of hybrid environments.
GCPW unlocks a big assault floor
Organizations that use Google Workspace (previously G Suite) for enterprise productiveness can deploy GCPW on their Home windows 10 and Home windows 11 computer systems so as to sync Google accounts with their native Energetic Listing and allow a single sign-on (SSO) expertise for his or her customers. When deployed, the software registers itself as a Credential Supplier within the Home windows Native Safety Authority Subsystem Service (lsass) which handles authentication on Home windows methods, permitting customers to make use of their Google account credentials for native authentication as a substitute of getting separate accounts for the AD setting and Google Workspace.
Corporations with sure Google Workspace subscriptions can even deploy Google’s machine administration answer for Home windows which can use GCPW for authentication and machine enrolment. In such a setup, the machine administration part can be utilized to push customized Home windows configurations and insurance policies, to handle Home windows updates, allow BitLocker drive encryption, remotely wipe gadgets and extra.
In accordance with Radu Tudorica, a Bitdefender safety researcher who offered the GCPW assault situations final week on the DefCamp 2023 safety convention in Bucharest, an attacker who obtains admin privileges to a company’s Google Workspace with machine administration enabled can deploy a obtain and set up coverage that pushes a malicious payload to all managed methods. That is just like how attackers usually push ransomware to a company’s methods after compromising the community’s area controller.
Lateral motion might additionally doubtlessly prolong to the group’s Google Cloud Platform (GCP) account which considerably will increase the assault floor by offering entry to storage buckets and supply code repositories.
Tudorica’s state of affairs begins like most malware assaults, with a spear-phishing e mail despatched to an worker from a focused group and impersonating a enterprise affiliate for added credibility. The e-mail carries a malicious attachment which, if executed, deploys a malware implant that gives the attacker with distant entry to the Home windows machine with the privileges of the worker’s native account.
If GCPW is deployed on the system, the attacker can then got down to extract the refresh token related to the worker’s Google account. This can be a particular OAuth token generated by Google’s servers following a profitable authentication that preserves the person’s lively session for a restricted time, stopping the necessity to re-authenticate when accessing a Google Workspace service.
GCPW shops the refresh token in two areas: Quickly within the system registry and later within the person’s profile within the Google Chrome browser. The token is saved in encrypted type in each situations, however its decryption is trivial with a software like Mimikatz or by calling the Home windows CryptUnprotectData API from the identical person and machine that was used to encrypt it. In different phrases, this encryption is barely meant to guard the token if it’s copied and transferred to a different machine.
Extracting the token from the system registry is stealthier than from contained in the browser profile as a result of safety merchandise usually flag makes an attempt by exterior processes to learn browser information as suspicious. The draw back is that the token is barely quickly out there within the registry earlier than being moved to the browser, however this may be overcome by modifying one other worth known as ‘the token deal with’ that’s saved by GCPW contained in the registry. If this worth is modified, GCPW will assume the session is invalid and can pressure the person to re-authenticate, inserting a brand new refresh token quickly within the registry.
The refresh token can be utilized by means of Google’s OAuth API to request entry tokens for varied Google companies within the person’s title, offering the attacker with entry to information saved in these companies and their varied functionalities. This type of API entry doesn’t require multi-factor authentication (MFA) even when the account has it enabled as a result of the refresh token is issued after a profitable authentication is already accomplished, which incorporates the MFA step.
Relying on the person’s privileges within the Google Workspace setting the attacker can entry their Google Calendar, Google Drive, Google Sheets, Google Duties, some details about their e mail tackle and person profile, their Google Cloud Storage and Google Cloud Search, information saved in Google Classroom and extra. If the worker occurs to be a Workspace administrator, they will additionally acquire entry to person provisioning within the Google Listing and the Vault API, an eDiscovery and information retention software that permits the exporting of all emails and information for all customers inside a company. And if machine administration is enabled, an admin account may also be used to abuse its options.
How attackers can increase entry
It’s value noting that tokens can solely be used to entry companies by means of APIs, however not all Google companies or all their options can be found by means of APIs. Some can solely be accessed by means of web-based interfaces within the browser. In that case, an attacker may want the person’s precise plaintext password as a substitute of simply the GCPW refresh token to abuse these companies and options. The plaintext password might additionally doubtlessly allow entry outdoors of Google’s ecosystem if it’s reused.
Tudorica and his workforce discovered that GCPW shops the person’s password domestically in encrypted type to permit for password restoration operations, a characteristic that’s enabled by default. Not like refresh tokens, domestically saved passwords are encrypted with keys which are saved on Google’s servers. Nonetheless, the encryption keys will be retrieved by means of an undocumented API service if the attacker has the required native entry (SYSTEM privileges) to extract a novel ID from the Home windows Native Safety Authority (LSA) retailer after which makes use of the GCPW refresh token to generate an entry token for that undocumented API.
If the compromised account doesn’t have administrator privileges in Google Workspace, the attacker can nonetheless use it to extract information comparable to shared information, determine directors after which goal them through the use of the compromised account. For instance, the attacker might connect malicious macros to a doc after which share it with an administrator within the hope they’ll open it on their pc to put in a malware implant.
If an administrator account is compromised, the attacker might use it to create a shadow admin account within the Workspace setting for persistence functions after which give it entry to the group’s sources on Google Cloud Platform as properly. If for instance the group develops software program and hosts its apps and code on Google Cloud, this stage of entry might allow backdoors being pushed into manufacturing code and software program provide chain assaults. On the very least it might result in a compromise of delicate enterprise information saved within the group’s cloud-hosted apps or to a ransomware-style assault of GCP information by means of the customer-supplied encryption keys (CSEK) characteristic.
Bitdefender reported the refresh token and password decryption points to Google, however since exploiting them requires an area machine to be compromised, they fall outdoors of the risk mannequin for Chrome information storage and are subsequently not thought of safety vulnerabilities.
“Don’t deal with cloud companies as being inherently safe,” Tudorica mentioned. “Consider them as Energetic Listing, and whilst you don’t have one thing to patch, you continue to have to arrange cheap entry permissions for everybody. Even be very cautious with integrations that seem to make your life simpler however can even make it more durable if they’re compromised, and arrange monitoring and alerts for completely all the things,” he mentioned.
Further particulars can be found in a Bitdefender technical write-up printed forward of the convention.
