The lack of event logging in the free subscription version of Google Workspace may allow attackers to download data from Google Drive without leaving a trace of their illicit activity.
Researchers on a team at Mitiga have discovered what they call a key “forensic security deficiency” in the popular hosted productivity app, arising from a lack of log generation for users who don’t have a paid enterprise license for Workspace. In a Mitiga blog post published on May 30, the team noted that the situation leaves companies exposed to insider threats and other potential data breaches.
Though users with a paid license, like Google Workspace Enterprise Plus, enjoy the benefit of visibility into Google Drive activity through “drive log events,” which record actions like copying, deleting, downloading, and viewing files. — those with a default Cloud Identity Free license do not, the researchers said. This blinds organizations to potential data tampering and exfiltration attacks, limiting how quickly and effectively organizations can respond. This is because they have little or no chance of correctly assessing what data has been stolen, or if any data has been stolen.
“Specifically at Google, the free license defaults when a new user is added to your domain, which means you won’t receive any logs of Google Drive activity from your private drive,” Or Aspir, research team leader at Mitiga cloud security, he tells Dark Reading. “This is the main problem because without those logs, you can’t see users potentially downloading the data to your private drive.”
For starters, though, companies that use Google Workspace among their corporate employees can issue enterprise licenses and thus have the visibility that registration provides. — they may still be at risk of data theft if users download files from a shared business drive to their personal Google Drive, which won’t be protected, says Aspir.
“If users have permissions to access some company shared drives, they can copy the files from the shared drive to their private drive…and the company will not receive any logs of the user downloading the copied files from their private drive,” Explain.
How attackers can exploit the Google Drive deficiency
There are two key scenarios in which this lack of visibility presents a problem, the researchers described in their post. The first is if a user’s account is compromised by a threat actor, either by becoming an administrator or simply gaining access to that account, they wrote.
“A threat actor that gains access to an admin user can revoke the user’s license, download all of their private files, and reassign the license,” they explained in the post. In this case, the only log records that would be generated are license revocation and assignment activity, in Admin Log Events, the researchers said.
Meanwhile, a threat actor who gains access to a user without a paid license but still uses the organization’s private drive can download all the files on the drive without leaving any trace, the researchers said.
The second threat scenario would be more likely to occur during employee leave, when a corporate user leaves the company and is therefore licensed before disabling/removing the employee as a Google user, the researchers said.
The employee (or any user who has not been assigned a paid license) can also potentially download internal files from their private drive or private Google Workspace without warning due to lack of logging, posing an insider threat or the potential exposure of that data. to an external attacker, they added. A user still using a company’s private drive can also download drives to a private Google workspace without any registration, the researchers said.
“Either way, without a paid license, users can still access the shared drive as viewers,” they explained in the post. “A user or a threat actor can copy all the files from the shared drive to your private drive and download them.”
How companies can respond
Mitiga contacted Google about the issue, but the researchers said they have yet to receive a response, adding that Google’s security team generally doesn’t recognize forensic deficiencies as a security issue.
This highlights a concern when working with software-as-a-service (SaaS) and cloud providers, in that organizations using their services “rely solely on them for any forensic data they may have,” Aspir says. “When it comes to SaaS and cloud providers, we’re talking about a shared responsibility when it comes to security because you can’t add additional safeguards within what’s being offered.”
For example, an organization is completely dependent on what Google Workspace provides, says Aspir. In his opinion, that information should be “all the records necessary for companies to understand if something bad happened and what exactly happened.”
Fortunately, there are steps that organizations using Google Workspace can take to ensure that the problem described by Mitiga is not exploited, the researchers said. This includes watching for certain actions in its admin log event function, such as events about license revocations and assignments, they said.
“If these events occur in rapid succession, it could suggest that a threat actor is revoking and reallocating licenses in your environment,” they wrote in the post. “As a result, we suggest running regular threat searches in Google Workspace that include looking for this activity.
Organizations can also add “source_copy” events in the threat hunt to detect a case where an employee or threat actor copies files from the shared drive to a private drive and downloads them from there, the researchers said.
In general, organizations “should understand that if there is a user with a free license, that user can download or copy data from the organization’s private Google Drive and there will be no record of the activity,” says Aspir. “Be very careful with users within the company who do not have a paid license.”