Extracting the refresh token
Tudorica’s situation begins like most malware assaults, with a spear-phishing e mail despatched to an worker from a focused group and impersonating a enterprise affiliate for added credibility. The e-mail carries a malicious attachment which, if executed, deploys a malware implant that gives the attacker with distant entry to the Home windows machine with the privileges of the worker’s native account.
If GCPW is deployed on the system, the attacker can then got down to extract the refresh token related to the worker’s Google account. This can be a particular OAuth token generated by Google’s servers following a profitable authentication that preserves the consumer’s lively session for a restricted time, stopping the necessity to re-authenticate when accessing a Google Workspace service.
GCPW shops the refresh token in two places: Briefly within the system registry and later within the consumer’s profile within the Google Chrome browser. The token is saved in encrypted kind in each situations, however its decryption is trivial with a device like Mimikatz or by calling the Home windows CryptUnprotectData API from the identical consumer and machine that was used to encrypt it. In different phrases, this encryption is just meant to guard the token if it’s copied and transferred to a different machine.
Extracting the token from the system registry is stealthier than from contained in the browser profile as a result of security merchandise sometimes flag makes an attempt by exterior processes to learn browser knowledge as suspicious. The draw back is that the token is just briefly out there within the registry earlier than being moved to the browser, however this may be overcome by modifying one other worth known as ‘the token deal with’ that’s saved by GCPW contained in the registry. If this worth is modified, GCPW will assume the session is invalid and can pressure the consumer to re-authenticate, inserting a brand new refresh token briefly within the registry.
The refresh token can be utilized by Google’s OAuth API to request entry tokens for numerous Google companies within the consumer’s identify, offering the attacker with entry to knowledge saved in these companies and their numerous functionalities. This type of API entry doesn’t require multi-factor authentication (MFA) even when the account has it enabled as a result of the refresh token is issued after a profitable authentication is already accomplished, which incorporates the MFA step.
Relying on the consumer’s privileges within the Google Workspace surroundings the attacker can entry their Google Calendar, Google Drive, Google Sheets, Google Duties, some details about their e mail deal with and consumer profile, their Google Cloud Storage and Google Cloud Search, knowledge saved in Google Classroom and extra. If the worker occurs to be a Workspace administrator, they’ll additionally achieve entry to consumer provisioning within the Google Listing and the Vault API, an eDiscovery and knowledge retention device that permits the exporting of all emails and information for all customers inside a corporation. And if machine administration is enabled, an admin account will also be used to abuse its options.
