A set of novel attack methods has been demonstrated against Google Workspace and the Google Cloud Platform that could be potentially leveraged by threat actors to conduct ransomware, data exfiltration, and password recovery attacks.
"Starting from a single compromised machine, threat actors could progress in several ways: they could move to other cloned machines with GCPW installed, gain access to the cloud platform with custom permissions, or decrypt locally stored passwords to continue their attack beyond the Google ecosystem," Martin Zugec, technical solutions director at Bitdefender, said in a new report.
A prerequisite for these attacks is that the bad actor has already gained access to a local machine through other means, prompting Google to mark the bug as not eligible for fixing "since it's outside of our threat model and the behavior is in line with Chrome's practices of storing local data."
However, the Romanian cybersecurity firm has warned that threat actors can exploit such gaps to extend a single endpoint compromise to a network-wide breach.
The attacks, in a nutshell, rely on an organization's use of Google Credential Provider for Windows (GCPW), which offers both mobile device management (MDM) and single sign-on (SSO) capabilities.
This enables administrators to remotely manage and control Windows devices within their Google Workspace environments, as well as allows users to access their Windows devices using the same credentials that are used to login to their Google accounts.