Bitdefender has warned of its discovery of a new attack methodology that threat actors may use against victims who are using Google Workspace and the Google Cloud Platform, reports The Hacker News.
In its report, the company demonstrated how hackers that have already gained unauthorized access to a local machine by some other means can take advantage of how Google Credential Provider for Windows works, which is to use the local privileged service account Google Accounts and ID Administration to verify users' credentials and then store a refresh token that eliminates the need for re-authentication. Attackers that have already breached a machine may thus extract an account's refresh OAuth token to bypass multifactor authentication measures. Meanwhile, another exploit involves the Golden Image lateral movement tactic which takes advantage of the fact that cloning a virtual machine with pre-installed GCPW to create another machine also clones the password associated with the GAIA account. A third exploit involves using a previously acquired access token to submit an HTTP GET request to an undocumented API endpoint, allowing the attacker to obtain the private RSA key needed to decrypt the password field.