Bitdefender Labs has identified vulnerabilities in Google Workspace that could result in ransomware attacks, data exfiltration [1] [2] [3] [4] [5] [6], and password recovery attacks [2] [3] [4]. These vulnerabilities also enable unauthorized access to Google Cloud Platform (GCP) with custom permissions and facilitate lateral movement between machines [1].


The exploits target the use of Google Credential Provider for Windows (GCPW) [1], which offers mobile device management (MDM) and single sign-on (SSO) capabilities [1] [2]. Specifically, the attacks focus on virtual machine (VM) deployments and exploit the cloning of VMs. It is important to note that executing these exploits requires compromising a local machine [1]. Bitdefender has alerted Google to these attack methods [6], but Google has chosen not to address them due to a misalignment with its threat model [6]. To support the security community [6], Bitdefender has incorporated detections for these attacks in GravityZone XDR [6].


These vulnerabilities pose significant risks [4], including the potential for ransomware attacks, data breaches, and unauthorized access to GCP. While Google has chosen not to address these vulnerabilities, it is crucial for organizations using Google Workspace to be aware of these risks and take appropriate measures to mitigate them. Bitdefender’s inclusion of detections for these attacks in GravityZone XDR provides valuable support to the security community. Moving forward, it is essential for organizations to remain vigilant and proactive in addressing potential security threats in their Google Workspace environments.