www.helpnetsecurity.com
Open in
urlscan Pro
52.10.66.75
Public Scan
URL:
https://www.helpnetsecurity.com/2023/06/01/data-exfiltration-google-drive/
Submission: On June 02 via api from TR — Scanned from DE
Submission: On June 02 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
POST
<form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-244483 mc4wp-ajax" method="post" data-id="244483" data-name="Footer newsletter form">
<div class="mc4wp-form-fields">
<div class="hns-newsletter">
<div class="hns-newsletter__top">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__title">
<i>
<svg class="hic">
<use xlink:href="#hic-plus"></use>
</svg>
</i>
<span>Cybersecurity news</span>
</div>
</div>
</div>
</div>
<div class="hns-newsletter__bottom">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__body">
<div class="row">
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="520ac2f639" id="mcs1">
<label class="form-check-label text-nowrap" for="mcs1">Daily Newsletter</label>
</div>
</div>
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="d2d471aafa" id="mcs2">
<label class="form-check-label text-nowrap" for="mcs2">Weekly Newsletter</label>
</div>
</div>
</div>
</div>
<div class="form-check form-control-lg mb-3">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="28abe5d9ef" id="mcs3">
<label class="form-check-label" for="mcs3">(IN)SECURE - monthly newsletter with top articles</label>
</div>
<div class="input-group mb-3">
<input type="email" name="email" id="email" class="form-control border-dark" placeholder="Please enter your e-mail address" aria-label="Please enter your e-mail address" aria-describedby="hns-newsletter-submit-btn" required="">
<button class="btn btn-dark rounded-0" type="submit" id="hns-newsletter-submit-btn">Subscribe</button>
</div>
<div class="form-check">
<input class="form-check-input" type="checkbox" name="AGREE_TO_TERMS" value="1" id="mcs4" required="">
<label class="form-check-label" for="mcs4">
<span>I have read and agree to the <a href="https://www.helpnetsecurity.com/newsletter/" target="_blank" rel="noopener" class="d-inline-block">terms & conditions</a>
</span>
</label>
</div>
</div>
</div>
</div>
</div>
</div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
value="1685672066"><input type="hidden" name="_mc4wp_form_id" value="244483"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1">
<div class="mc4wp-response"></div>
</form>Text Content
searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus * News * Features * Expert analysis * Videos * Reviews * Events * Whitepapers * Industry news * Product showcase * Newsletters * * * Zeljka Zorz, Editor-in-Chief, Help Net Security June 1, 2023 Share THREAT ACTORS CAN EXFILTRATE DATA FROM GOOGLE DRIVE WITHOUT LEAVING A TRACE Google Workspace (formerly G Suite) has a weak spot that can prevent the discovery of data exfiltration from Google Drive by a malicious outsider or insider, Mitiga researchers say. A PROBLEM FOR DIGITAL FORENSIC ANALYSTS AND INCIDENT RESPONDERS “Google Workspace provides visibility into a company’s Google Drive resources using ‘Drive log events,’ for actions such as copying, deleting, downloading, and viewing files. Events that involve external domains also get recorded, like sharing an object with an external user,” Mitiga‘s Ariel Szarf and Or Aspir explained. By default, Google Drive users start with a ‘Cloud Identity Free’ license, and are assigned a paid one (e.g., ‘Google Workspace Enterprise Plus’) by one of their organization’s IT administrators. But when this paid license is not assigned, there are no log records of actions in the users’ private drive, the researchers discovered – and that could leave organizations in the dark about data manipulation and exfiltration actions users or outside attackers may perform. For example, if they haven’t been assigned a paid license or their license has been removed before their Google account is revoked, employees leaving the company could exploit this weak spot to take off with company intellectual property without leaving any forensic evidence of wrongdoing. A user can previously copy all the files from the organization’s shared drive to their private drive and download them: the downloading won’t be logged at all, and the copying will be logged only partially (in the ‘source_copy’ log, but not in the ‘copy’ log). Outside attackers could do the same if they have compromised the account of a user without a paid license or the account of an IT administrator. “A threat actor who gains access to an admin user can revoke the user’s license, download all their private files, and reassign the license. The only log records that are generated in this case are of revoke and assign license (under ‘Admin Log Events’),” the researchers explained. SPOTTING DATA EXFILTRATION VIA GOOGLE DRIVE The researchers’ advice for organizations is to regularly perform threat hunting in Google Workspace and search for suspicious license assignment and revocation events and monitor ‘source_copy’ logs for unusual/suspicious copying of company files. They say that even though they have flagged this forensic security deficiency to Google’s security team, they don’t expect them to recognize it as a security problem. More about * digital forensics * enterprise * Google * Google Drive * Google Workspace * incident response * Mitiga * SMBs * threat hunting Share this FEATURED NEWS * Critical zero-day vulnerability in MOVEit Transfer exploited by attackers! * Threat actors can exfiltrate data from Google Drive without leaving a trace * Zyxel firewalls under attack by Mirai-like botnet Spin Up A CIS Hardened Image SPONSORED THE BEST DEFENSE AGAINST CYBER THREATS FOR LEAN SECURITY TEAMS WEBINAR: TIPS FROM MSSPS TO MSSPS – STARTING A VCISO PRACTICE SECURITY IN THE CLOUD WITH MORE AUTOMATION CISOS STRUGGLE WITH STRESS AND LIMITED RESOURCES DON'T MISS CRITICAL ZERO-DAY VULNERABILITY IN MOVEIT TRANSFER EXPLOITED BY ATTACKERS! THREAT ACTORS CAN EXFILTRATE DATA FROM GOOGLE DRIVE WITHOUT LEAVING A TRACE ZYXEL FIREWALLS UNDER ATTACK BY MIRAI-LIKE BOTNET WHY ORGANIZATIONS SHOULD ADOPT A CLOUD CYBERSECURITY FRAMEWORK NAVIGATING CYBERSECURITY IN THE AGE OF REMOTE WORK Cybersecurity news Daily Newsletter Weekly Newsletter (IN)SECURE - monthly newsletter with top articles Subscribe I have read and agree to the terms & conditions Leave this field empty if you're human: © Copyright 1998-2023 by Help Net Security Read our privacy policy | About us | Advertise Follow us ×