Security News > 2023 > June > Threat actors can exfiltrate data from Google Drive without leaving a trace

Google Workspace has a weak spot that can prevent the discovery of data exfiltration from Google Drive by a malicious outsider or insider, Mitiga researchers say.

"Google Workspace provides visibility into a company's Google Drive resources using 'Drive log events,' for actions such as copying, deleting, downloading, and viewing files. Events that involve external domains also get recorded, like sharing an object with an external user," Mitiga's Ariel Szarf and Or Aspir explained.

By default, Google Drive users start with a 'Cloud Identity Free' license, and are assigned a paid one by one of their organization's IT administrators.

If they haven't been assigned a paid license or their license has been removed before their Google account is revoked, employees leaving the company could exploit this weak spot to take off with company intellectual property without leaving any forensic evidence of wrongdoing.

A user can previously copy all the files from the organization's shared drive to their private drive and download them: the downloading won't be logged at all, and the copying will be logged only partially.

The researchers' advice for organizations is to regularly perform threat hunting in Google Workspace and search for suspicious license assignment and revocation events and monitor 'source copy' logs for unusual/suspicious copying of company files.

News URL

https://www.helpnetsecurity.com/2023/06/01/data-exfiltration-google-drive/