Attackers are always looking for new ways to expand their access inside corporate networks once they hack into a machine or a user account. Recent research by security firm Bitdefender shows how attackers can gain access to Google Workspace and Google Cloud services by stealing access tokens and even plaintext passwords from compromised Windows systems that have the Google Credential Provider for Windows (GCPW) tool deployed. These credentials can be used in different attack scenarios to steal cloud-hosted data or to move laterally to other accounts and systems inside a network.

While organizations might monitor their Active Directory (AD) environments for known lateral movement techniques that have become a staple of attacks by both state-sponsored cyberespionage groups and ransomware gangs, they can have a blind spot when it comes to cloud-based services that are increasingly integrated with local networks as part of hybrid environments.

GCPW unlocks a large attack surface

Organizations that use Google Workspace (formerly G Suite) for enterprise productivity can deploy GCPW on their Windows 10 and Windows 11 computers in order to sync Google accounts with their local Active Directory and enable a single sign-on (SSO) experience for their users. When deployed, the tool registers itself as a Credential Provider in the Windows Local Security Authority Subsystem Service (lsass) which handles authentication on Windows systems, allowing users to use their Google account credentials for local authentication instead of having separate accounts for the AD environment and Google Workspace.

Companies with certain Google Workspace subscriptions can also deploy Google’s device management solution for Windows which will use GCPW for authentication and device enrolment. In such a setup, the device management component can be used to push custom Windows configurations and policies, to manage Windows updates, enable BitLocker drive encryption, remotely wipe devices and more.

According to Radu Tudorica, a Bitdefender security researcher who presented the GCPW attack scenarios last week at the DefCamp 2023 security conference in Bucharest, an attacker who obtains admin privileges to an organization’s Google Workspace with device management enabled can deploy a download and install policy that pushes a malicious payload to all managed systems. This is similar to how attackers typically push ransomware to an organization’s systems after compromising the network’s domain controller.

Lateral movement could also potentially extend to the organization’s Google Cloud Platform (GCP) account which significantly increases the attack surface by providing access to storage buckets and source code repositories.