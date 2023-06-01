



The lack of event logs in the free subscription version of Google Workspace could allow an attacker to download data from Google Drive without leaving any trace of illegal activity.

Researchers from Mitiga’s team have discovered what they call a significant “forensic security flaw” in a popular hosted productivity app. This is caused by a lack of logging for users without a paid Enterprise license of Workspace. In his Mitiga blog post published May 30, the team noted that the situation leaves companies open to insider threats and other potential data breaches. .

Users with paid licenses, such as Google Workspace Enterprise Plus, benefit from visibility into Google Drive activity through “Drive log events” that record actions such as copying, deleting, downloading, and viewing files, but the default Using Cloud Identity Free, the researchers said the license didn’t allow it. This keeps organizations unaware of potential data manipulation and data leakage attacks, limiting how organizations can respond quickly and effectively. Because there is little or no opportunity to assess exactly what data was stolen, or even why it was stolen in the first place.

“Especially with Google, when a new user is added to a domain, it defaults to a free license, which means you never receive any logs about Google Drive activity from the user’s private drive,” said Mitiga’s cloud security research team. Leader, Aspir said. Dark Reading speaks. “This is the main problem, because without these logs users would not be aware that they might download data to their private drives.”

For that matter, a company using Google Workspace across its workforce might issue an enterprise license and be visible through logging, but if users download files from a shared enterprise drive to their personal Google Drive, Then you may still be at risk of data theft. It will not be protected, Aspil said.

“If a user has permission to access a company’s shared drive, the user can copy files from the shared drive to the private drive, but the company does not want to receive a log that the user downloaded the copied file from the private drive. No,” he explains.

How Attackers Exploit Google Drive Flaw

In their post, the researchers said there are two main scenarios where this lack of visibility causes problems. The first, they write, is when a user’s account is compromised by a threat actor by becoming an administrator or simply gaining access to that account.

“An attacker who gains access to an admin user could revoke the user’s license, download all private files, and reassign licenses,” they explained in the post. In this case, the only log records generated are license revocation and assignment activity under the administrator log events, the researchers said.

Meanwhile, an attacker with access to users without a paid license and still using an organization’s private drives could potentially download all Drive files without leaving a trace, the researchers said. .

The second threat scenario is most likely to occur during employee offboarding, the researchers said. At this time, the corporate user leaves the company and the license is removed before the employee is actually deactivated/removed as a Google user.

Additionally, employees (or users who are not assigned a paid license) may download internal files from their private drives or private Google Workspaces without notice, as there is no logging, making them a threat from insiders. may occur or data may be leaked. against outside attackers, they added. A user still using the company’s private drive could also download the drive to her private Google Workspace without logging, the researchers said.

“In both cases, users can access shared drives as viewers without a paid license,” the post explains. “A user or threat actor can copy and download all files from a shared drive to his private drive.”

how companies can respond

Mitiga has reached out to Google about the issue, but has not yet received a response, the researchers said, adding that Google’s security team typically does not recognize forensic flaws as security issues. .

This highlights concerns when working with Software-as-a-Service (SaaS) and cloud providers. Organizations using the service “rely solely on those providers as to what forensic data they can obtain,” Aspil notes. “When it comes to SaaS and cloud providers, we were talking about shared responsibility for security because we cannot add additional safeguards within the scope given.”

For example, Aspir says organizations rely entirely on what Google Workspace offers. In his opinion, the information should be “all the logs the company needs to understand if something bad happened and what exactly happened.”

Fortunately, the researchers say, organizations using Google Workspace have steps they can take to prevent the issues outlined by Mitiga from being exploited. This includes paying attention to specific actions in the Admin Log Events feature, such as events related to assigning or revoking licenses, they said.

“If these events occur in quick succession, it may indicate that threat actors are revoking or reassigning licenses within the environment,” they wrote in the post. “Therefore, we recommend conducting regular threat hunting that includes searching for this activity in Google Workspace.

The researchers say organizations can also add a “source_copy” event to their threat hunting to catch cases where employees or threat actors copy files from shared drives to private drives and download them from there.

Overall, organizations “should understand that if you have users with free licenses, they can download or copy data from your organization’s private Google Drive and their activity will not be logged,” Aspir said. say. “Be very careful with users in your company who don’t have paid licenses.”

