Well hi there, Bay Area folks! I’m swinging by today to chat about something we all encounter in our daily lives: cloud storage. Our pal Google Drive is one that many of us rely on to stash everything from spreadsheets to half-written novels. But being popular also means it’s a juicy target for some not-so-nice folks out to steal your data.
Now, our friends at Mitiga have been doing some fantastic research into how these sneaky data thieves work. They examined how data is lifted from Google Workspace, shedding some light on a big security gap.
Here’s the gist of it: these bad actors exploit weaknesses in Google Drive to nab unauthorized access to your sensitive files. And here’s the scarier part: they can do this without you even knowing it. Those sneaky scoundrels can exfiltrate your data from Google Drive and not leave so much as a footprint.
Google, of course, has its methods to keep an eye on things. They use “Drive log events” to track what’s happening on your Google Drive. This includes noting when an object is shared with someone outside your group—handy for watching external interactions. There’s a catch though. This super useful service is only available if you’re shelling out for a paid license.
Google’s free Cloud Identity license, the one most of us are probably using on a day-to-day basis, doesn’t allow for this level of oversight. This can open the door to a host of complications, especially if anyone with ill intentions gets inside.
If a devious data thief compromises an admin user’s account, for example, they can run riot with the control of some crucial actions. The system only logs records for revoking and assigning licenses, not other activities. This is alarming, especially if the compromised user lacks a paid license but has access to the organization’s private drive.
Now, consider the situation when an employee leaves your company. Their license is canceled, and they still have access to their private drive. And the catch? They can download internal files directly from their private drive without leaving any trace. Employment ends, but their access to files doesn’t, and since they don’t have a paid license, there’s no log of their actions. This is a considerable loophole in the system that could potentially benefit someone with sinister intentions.
So, what to do about it? Mitiga’s security guys have contacted Google about this issue, but at present, we don’t have an official response. But they do have some recommendations.
Firstly, you should keep a close eye on “Admin Log Events”. Particular attention should be paid to when licenses are assigned or revoked. It’s also well worth dedicating some time to looking for potential threats within Google Workspace.
And of course, one of the best defenses is a good offense. Proactive threat hunting within Google Workspace can help you identify risks and breaches quickly, allowing you to tackle them head-on. Specifically, for any files being copied from a shared drive to a private one and then downloaded, monitoring the “source_copy” events is vital.
So, there’s some food for thought next time you’re vaulting vast amounts of precious data in the cloud! Stay safe, stay informed, and keep your defenses up!
by Morgan Phisher | HEAL Security
