Hackers Can Exploit Google Workspace and Cloud Platform for Ransomware Attacks

Nov 16, 2023NewsroomCloud Security / Ransomware

Cloud Platform for Ransomware Attacks

A set of new attack methods have been demonstrated against Google Workspace and the Google Cloud Platform that can potentially be used by threats to conduct ransomware, data exfiltration, and password recovery attacks.

“Starting from a compromised machine, threat actors can progress in several ways: they can move to other cloned machines with GCPW installed, can access the cloud platform with custom permissions, or decrypt locally stored passwords to continue their attack beyond the Google ecosystem,” Martin Zugec, director of technical solutions at Bitdefender , SAYS in the new report.

A prerequisite for these attacks is that the bad actor has already gained access to a local machine through other means, prompting Google to mark the bug as not worth fixing “Because it’s not in our threat model and the behavior is consistent with Chrome’s local data storage practices.”


However, the Romanian cybersecurity company warns that threat actors can exploit such gaps to increase a compromise at the end of a network-wide breach.

The attacks, in short, rely on an organization’s use of the Google Credential Provider for Windows (GCPW), which offers mobile device management (MDM) and single sign-on (S.S.O) capabilities.

This enables administrators to remotely manage and control Windows devices within their Google Workspace environment, as well as allow users to access their Windows devices using the same credentials used to log in. in their Google accounts.

Cloud Platform for Ransomware Attacks

GCPW is designed to use a local privileged account in a service called Google Accounts and ID Administration (GAIA) to smoothly speed up the background process by connecting to Google APIs for verifying a user’s credentials during the sign-in step and storing a refresh token to avoid the need for re-authentication .

With this setup, an attacker with access to a compromised machine can obtain a refreshed OAuth token of an account, either from the Windows registry or from the user’s Chrome profile directory, and bypass multi-factor authentication (MFA) protections.

The refresh token is used to make an HTTP POST request to the endpoint “https://www.googleapis(.)com/oauth2/v4/token” to obtain an access token, which, in turn, can be abused to obtain. , manipulate, or delete sensitive data associated with a Google Account.


The second exploit relates to the so-called Golden Image lateral movement, which focuses on virtual machine (VM) deployments and exploits the fact that creating a machine by cloning another machine with pre-installed GCPW causes of the password associated with the GAIA account that can also be cloned.

“If you know the password of a local account, and the local accounts on all the machines have the same password, then you know the passwords on all the machines,” Zugec explained.

“This shared password challenge is similar to having the same local administrator password on all machines which is addressed by Microsoft’s Local Administrator Password Solution (LAPS).”

A third attack involves accessing plaintext credentials by using the access token obtained using the aforementioned technique to send an HTTP GET request to an undocumented API endpoint and obtain the private RSA key needed to decrypt the password field.

“Access to plaintext credentials, such as usernames and passwords, represents a much more serious threat,” Zugec said. “This is because it allows attackers to directly impersonate legitimate users and gain unrestricted access to their accounts, potentially leading to complete account takeover.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment