{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/2sv/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Google Workspace"],"_cs_severities":["medium"],"_cs_tags":["google-workspace","2sv","persistence"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eGoogle Workspace administrators can enforce 2-Step Verification (2SV) to enhance user account security, requiring users to verify their identity beyond simple login credentials. This policy can be configured with various verification methods and enrollment periods. However, a malicious actor with administrative privileges may disable 2SV policies to reduce the security requirements for accessing targeted accounts. This could be a precursor to credential access or data exfiltration. The Elastic detection rule \u0026quot;Google Workspace 2SV Policy Disabled\u0026quot; was released on 2022-08-26 and updated on 2026-04-10 to detect this activity. This activity is important for defenders because it can lead to unauthorized access to sensitive data and systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a Google Workspace administrator account, possibly through credential compromise or phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Google Workspace admin console using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Security settings within the admin console.\u003c/li\u003e\n\u003cli\u003eThe attacker locates the 2-Step Verification settings.\u003c/li\u003e\n\u003cli\u003eThe attacker disables the 2SV enforcement policy for specific organizational units or the entire domain. This generates a \u003ccode\u003egoogle_workspace.login\u003c/code\u003e event with \u003ccode\u003eevent.action: \u0026quot;2sv_disable\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to access user accounts without the 2SV requirement, potentially using previously obtained credentials.\u003c/li\u003e\n\u003cli\u003eUpon successful login, the attacker performs malicious actions such as accessing sensitive data, modifying configurations, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker covers their tracks by deleting audit logs or creating new admin accounts with modified permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling 2SV weakens the overall security posture of a Google Workspace environment. If successful, attackers can gain unauthorized access to user accounts, leading to data breaches, financial losses, and reputational damage. The number of affected users depends on the scope of the 2SV policy change and the extent of the attacker's access. Organizations in any sector relying on Google Workspace for email, file storage, or other services are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect instances of 2SV policy being disabled and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview Google Workspace audit logs (\u003ccode\u003efilebeat-*\u003c/code\u003e, \u003ccode\u003elogs-google_workspace*\u003c/code\u003e) for unexpected 2SV configuration changes.\u003c/li\u003e\n\u003cli\u003eImplement the security best practices outlined by Google: \u003ca href=\"https://support.google.com/a/answer/7587183\"\u003ehttps://support.google.com/a/answer/7587183\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003euser.name\u003c/code\u003e or \u003ccode\u003esource.user.email\u003c/code\u003e in the alert and filter \u003ccode\u003eevent.dataset\u003c/code\u003e for \u003ccode\u003egoogle_workspace.login\u003c/code\u003e and aggregate by \u003ccode\u003euser.name\u003c/code\u003e, \u003ccode\u003eevent.action\u003c/code\u003e to identify impacted users and authentication events.\u003c/li\u003e\n\u003cli\u003eReduce the \u003ccode\u003evar.interval\u003c/code\u003e in the Google Workspace Filebeat module to 10 minutes (10m) to decrease the risk of missed events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-google-workspace-2sv-disabled/","summary":"An adversary may disable 2-Step Verification (2SV) in Google Workspace to weaken account security and facilitate unauthorized access.","title":"Google Workspace 2SV Policy Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-google-workspace-2sv-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed - 2sv","version":"https://jsonfeed.org/version/1.1"}