A set of novel attack techniques has been shown versus Google Workspace and the Google Cloud Platform that might be possibly leveraged by risk actors to perform ransomware, information exfiltration, and password recovery attacks.
” Starting from a single compromised machine, risk stars could progress in several ways: they could move to other cloned devices with GCPW installed, gain access to the cloud platform with customized consents, or decrypt locally saved passwords to continue their attack beyond the Google ecosystem,” Martin Zugec, technical options director at Bitdefender, stated in a new report.
A requirement for these attacks is that the bad star has currently acquired access to a regional machine through other ways, triggering Google to mark the bug as not qualified for repairing “since it’s beyond our risk model and the habits remains in line with Chrome’s practices of saving regional information.”
Nevertheless, the Romanian cybersecurity firm has cautioned that hazard stars can exploit such spaces to extend a single endpoint compromise to a network-wide breach.
The attacks, in a nutshell, rely on an organization’s use of Google Credential Provider for Windows (GCPW), which provides both mobile gadget management (MDM) and single sign-on (SSO) abilities.
This enables administrators to from another location handle and manage Windows devices within their Google Workspace environments, along with enables users to access their Windows gadgets using the very smae qualifications that are utilized to login to their Google accounts.

GCPW is created to utilize a regional fortunate service account named GOogle Accounts and ID Administration (GAIA) to perfectly help with the procedure in the background by connecting to Google APIs for confirming a user’s credentials during the sign-in action and keeping a refresh token to anticipate the need for re-authentication.
With this setup in location, an assaulter with access to a compromised device can extract an account’s refresh OAuth tokens, either from the Windows pc registry or from the user’s Chrome profile directory site, and bypass multi-factor authentication (MFA) protections.
The refresh token is subsequently made use of to build an HTTP POST demand to the endpoint “https://www.googleapis [] com/oauth2/v4/ token” to acquire an access token, which, in turn, can be abused to obtain, control, or erase delicate data related to the Google Account.
A second make use of issues what’s called tje Golden Image lateral movement, which concentrates on virtual device (VM) deployments and makes the most of the truth that producing a machine by cloning another device with pre-installed GCPW triggers the password connected with the GAIA account to be cloned also.
” If you understand the password to a local account, and local accounts on all machines share the same password, then you understand the passwords to all devices,” Zugec described.
” This shared-password obstacle is comparable to having the very same regional administrator password on all machines that has actually been dealt with by Microsoft’s Local Administrator Password Solution (LAPS).”.
The 3rd attack requires access to plaintext credentials by leveraging the access token acquired using the abovementioned method to send an HTTP GET request to an undocumented API endpoint and get hold of the private RSA key that is needed to decrypt the password field.
” Having access to plaintext qualifications, such as usernames and passwords, represents a more serious threat,” Zugec said. “This is due to the fact that it makes it possible for attackers to directly impersonate legitimate users and gain unlimited access to their accounts, possibly leading to complete account takeover.”.