Security experts at Bitdefender have reported a potential method by which attackers can leverage Google’s single sign-on (SSO) integration with Windows to navigate laterally within corporate networks. Exploiting compromised systems with access tokens and plaintext passwords, this vulnerability poses a significant threat to organizations utilizing Google Workspace and Google Cloud services.
Bypassing Traditional Security Measures
Traditionally, companies have focused on monitoring well-known lateral movement techniques, particularly those associated with Active Directory (AD) environments. However, SSO tools such as Google Credential Provider for Windows (GCPW), which sync Google accounts with local AD, offer a less conspicuous attack vector. GCPW, facilitating a seamless SSO experience across Windows 10 and Windows 11 devices, registers as a Credential Provider in the Windows authentication system. Hence, it can unlock a substantial attack surface for those with malicious intent.
Bitdefender emphasized how attackers gaining administrative control over an organization’s Google Workspace with device management can push a malevolent payload to all managed systems. The attack could extend to the Google Cloud Platform (GCP), compromising an array of data and services.
Token Theft and Exploitation
The exploitation process begins with a spear-phishing attack, which, once successful, allows attackers to mine the refresh token associated with the employee’s Google account. This refresh token is vital as it maintains an active user session on Google services without the constant need for re-authentication. While stored encrypted, forensic tools can decrypt these tokens if executed on the originating system.
An attacker’s ability to obtain these tokens provides extensive access to the user’s Google Workspace applications and administrative settings if the user has privileged access. The implications range from data extraction to creating shadow administrative accounts for sustaining prolonged unauthorized access, particularly concerning if the organization leverages Google Cloud resources for software development and other critical functions.
Bitdefender has informed Google about the decryption of refresh tokens and plaintext passwords, but the issue is not within the current security threat model for Google, as the exploitation necessitates prior compromise of a local device.
Experts advise that despite the integration of cloud services with local infrastructure, organizations should not presume inherent security. Rather, robust monitoring, reasonable access controls, and alerts for all integrations are recommended to safeguard against such vulnerabilities.
Security Concerns in the Age of Hybrid Environments
As organizations increasingly adopt hybrid environments, bridging local infrastructures with cloud-based services, the risks of SSO-related attacks underscore the necessity of vigilant security practices that encompass these integrations. The security community’s findings advocate for a layered security strategy that not only enforces stringent monitoring within traditional network perimeters but also extends protective measures to cloud-based integrations that could otherwise serve as gateways for cyber attackers to exploit.
