Threat actors can exfiltrate data from Google Drive without leaving a trace

Google Workspace (formerly G Suite) has a weak spot that can prevent the discovery of data exfiltration from Google Drive by a malicious outsider or insider, Mitiga researchers say.

A problem for digital forensic analysts and incident responders

“Google Workspace provides visibility into a company’s Google Drive resources using ‘Drive log events,’ for actions such as copying, deleting, downloading, and viewing files. Events that involve external domains also get recorded, like sharing an object with an external user,” Mitiga‘s Ariel Szarf and Or Aspir explained.

By default, Google Drive users start with a ‘Cloud Identity Free’ license, and are assigned a paid one (e.g., ‘Google Workspace Enterprise Plus’) by one of their organization’s IT administrators.

data exfiltration Google Drive

But when this paid license is not assigned, there are no log records of actions in the users’ private drive, the researchers discovered – and that could leave organizations in the dark about data manipulation and exfiltration actions users or outside attackers may perform.

For example, if they haven’t been assigned a paid license or their license has been removed before their Google account is revoked, employees leaving the company could exploit this weak spot to take off with company intellectual property without leaving any forensic evidence of wrongdoing.

A user can previously copy all the files from the organization’s shared drive to their private drive and download them: the downloading won’t be logged at all, and the copying will be logged only partially (in the ‘source_copy’ log, but not in the ‘copy’ log).

Outside attackers could do the same if they have compromised the account of a user without a paid license or the account of an IT administrator.

“A threat actor who gains access to an admin user can revoke the user’s license, download all their private files, and reassign the license. The only log records that are generated in this case are of revoke and assign license (under ‘Admin Log Events’),” the researchers explained.

Spotting data exfiltration via Google Drive

The researchers’ advice for organizations is to regularly perform threat hunting in Google Workspace and search for suspicious license assignment and revocation events and monitor ‘source_copy’ logs for unusual/suspicious copying of company files.

They say that even though they have flagged this forensic security deficiency to Google’s security team, they don’t expect them to recognize it as a security problem.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss