jayzynism - stock.adobe.com
Mitiga warns free Google Drive license lacks logging visibility
The ability to view logs is critical for enterprises to detect and attribute malicious activity. Mitiga said the Google Drive issue allows data exfiltration without a trace.
A security deficiency in Google Workspace could let an attacker exfiltrate data from Google Drive without being traced, a new Mitiga report warned.
While conducting research into cloud and SaaS attack vectors, Mitiga researchers Ariel Szarf and Or Aspir discovered that users with an unpaid license for Google Workspace lack visibility into logging activity for Google Drive. The ability to view Google Drive log events is critical for enterprises to track data theft activity, which is an increasing threat.
In a blog post on Thursday, Szarf and Aspir emphasized that Google Drive is one of the most common targets for data exfiltration attacks. Therefore, they were surprised forensic visibility only applied to paid Google Workspace users considering the potentially severe consequences.
"Once a malicious user inside has accessed the organization's Google Drive, they can take action without being recorded at all," Szarf and Aspir wrote in the blog post.
One important role of Google Workspace is how it lets enterprises view Google Drive resources using "Drive log events" to copy, delete, download or view files. Additionally it records events that involve external domains as well. The issue addressed in Mitiga's report is that only paid users can complete those actions, which can be essential in incident response.
For free users, that means attackers could abuse the cloud file storage service and exfiltrate data without leaving evidence behind.
"They simply do so without generating any logs, making organizations blind to potential data manipulation and exfiltration attacks," the blog post read. "When incidents occur, this standard prevents organizations from efficiently responding, as they have no chance to correctly assess what data has been stolen or whether it has been stolen at all."
During their research, Szarf and Aspir determined that to get Google Drive features beyond the default Cloud Identify Free license, an admin must assign a paid license named Google Workspace Enterprise Plus to their users.
"When a 'Google Workspace Enterprise Plus' license is not assigned, there are no log records of actions in the users' private drive," the report read.
The blog post covered two potential scenarios for exploitation. The first concern was if a user's account is compromised by a threat actor. If the threat actor gains administrative access, they could revoke the user's license, download all their private files and reassign the license, the researchers warned. Even if the attacker gains access to a free user, they could still "download all the drive's files without leaving any trace."
The researchers also found that exploitation could occur during the employee offboarding process when licenses are removed before the Google user. Aspir told TechTarget Editorial he was surprised logs are not included in the basic Google Drive license, since many resources are often included in other SaaS tools.
"However, in Google Workspace, if the user doesn't have a specific license, you won't get all the logs, which is kind of weird," Aspir said. "If you are a free user, you won't get logs from Google Drive, and potentially, stuff can get out from Google Drive and from the organization. You won't see the logs, which is critical for organizations because one of their biggest risks is if the data is gone from the environment, and you won't have any clue why or who."
Reporting woes
Mitiga reported the security deficiency to Google Workspace by submitting a ticket but was unimpressed with the vendor's response. Now that the report is published, Aspir hopes Google will aim to improve security.
"The official response we received was, 'We closed the ticket because it's not a vulnerability and we cannot do anything' and that was it," he said. "In the past, we showed them other issues when it comes to logging visibility and security deficiencies, and they don't take it seriously, unfortunately."
Contacted by TechTarget Editorial, a Google spokesperson pushed back on Mitiga's report, saying any Google Workspace or Edu Drive license includes access to audit logs. "Cloud Identity Free is meant to only enable limited access to Drive for non-sensitive data, and is not designed for the types of organizations that generally need these options," they said. "The types of organizations looking for the type of robust auditing referenced in this report, are generally already using Google Workspace enterprise licenses, which have extensive auditing capabilities."
The Google spokesperson added that organizations or users that want more advanced capabilities can sign up for Google Workspace Enterprise Essentials, which has a Starter Edition available that is free for up to 100 users. Those capabilities include Google Workspace audit logs for administrator activity, data access and system events, which are customizable via the Workspace Admin Console.
The problem extends beyond Thursday's security report, according to Mitiga. Aspir addressed concerns over the Shared Responsibility Model, which puts security controls in the hands of cloud vendors rather than users.
"It's a big problem because when you use cloud or SaaS because of the shared responsibility, you don't have the ability to install something else on the environment that will give you the logs like on premises. It depends solely on what Google or the cloud or SaaS provider provides you," he said. "If they don't provide you with the log, you'll have a problem. You cannot see if something went wrong."
While enterprises may lack visibility with the basic Google Drive licenses, Mitiga did offer mitigation recommendations. One option is to view events about license assignment and revoke activity, which appear under Admin Log Events. Events that occur in quick succession may suggest a threat actor is revoking and reassigning licenses in the enterprise environment.
Additionally, the blog post urged enterprises to monitor all events, including "source_copy" activity, and not focus solely on significant downloads to detect potential breaches.
