A recent report from Bitdefender reveals a series of novel attack methods that expose vulnerabilities in Google Workspace and the Google Cloud Platform (GCP), potentially empowering threat actors to execute ransomware attacks, data exfiltration, and password recovery exploits.
Martin Zugec, the technical solutions director at Bitdefender, emphasizes that starting from a single compromised machine, threat actors could escalate their attacks by moving to other cloned machines with Google Credential Provider for Windows (GCPW) installed, gaining access to the cloud platform with customized permissions, or decrypting locally stored passwords to extend their assault beyond the Google ecosystem.
Despite Google marking the bug as ineligible for fixing due to being outside its threat model, Bitdefender warns that threat actors can exploit these gaps to transform a single endpoint compromise into a network-wide breach.
Furthermore, the attacks hinge on exploiting an organization’s use of Google Credential Provider for Windows (GCPW), offering mobile device management (MDM) and single sign-on (SSO) capabilities. GCPW facilitates remote management of Windows devices within Google Workspace environments, allowing users to access their Windows devices with the same credentials used for Google accounts.
At the same time, the attackers leverage the GCPW setup to extract an account’s refresh OAuth tokens, bypassing multi-factor authentication (MFA) protections and utilizing the refresh token to construct HTTP requests for accessing and manipulating sensitive data associated with Google accounts. A second exploit, the Golden Image lateral movement, takes advantage of VM deployments, allowing the cloning of machines with pre-installed GCPW to clone associated passwords.
In addition, the third attack involves accessing plaintext credentials by leveraging acquired access tokens to send HTTP requests to an undocumented API endpoint, obtaining the private RSA key necessary to decrypt the password field.
Bitdefender underscores the severity of having access to plaintext credentials, enabling attackers to impersonate legitimate users, potentially leading to complete account takeover. The report highlights the critical importance for organizations to address these vulnerabilities promptly and underscores the need for thorough audits of applications to prevent exploitation by threat actors monitoring open-source repositories opportunistically.
Reference:
