<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>2sv - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/2sv/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/2sv/feed.xml" rel="self" type="application/rss+xml"/><item><title>Google Workspace 2SV Policy Disabled</title><link>https://feed.craftedsignal.io/briefs/2024-01-google-workspace-2sv-disabled/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-google-workspace-2sv-disabled/</guid><description>An adversary may disable 2-Step Verification (2SV) in Google Workspace to weaken account security and facilitate unauthorized access.</description><content:encoded><![CDATA[<p>Google Workspace administrators can enforce 2-Step Verification (2SV) to enhance user account security, requiring users to verify their identity beyond simple login credentials. This policy can be configured with various verification methods and enrollment periods. However, a malicious actor with administrative privileges may disable 2SV policies to reduce the security requirements for accessing targeted accounts. This could be a precursor to credential access or data exfiltration. The Elastic detection rule &quot;Google Workspace 2SV Policy Disabled&quot; was released on 2022-08-26 and updated on 2026-04-10 to detect this activity. This activity is important for defenders because it can lead to unauthorized access to sensitive data and systems.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to a Google Workspace administrator account, possibly through credential compromise or phishing.</li>
<li>The attacker authenticates to the Google Workspace admin console using the compromised credentials.</li>
<li>The attacker navigates to the Security settings within the admin console.</li>
<li>The attacker locates the 2-Step Verification settings.</li>
<li>The attacker disables the 2SV enforcement policy for specific organizational units or the entire domain. This generates a <code>google_workspace.login</code> event with <code>event.action: &quot;2sv_disable&quot;</code>.</li>
<li>The attacker may then attempt to access user accounts without the 2SV requirement, potentially using previously obtained credentials.</li>
<li>Upon successful login, the attacker performs malicious actions such as accessing sensitive data, modifying configurations, or establishing persistence.</li>
<li>The attacker covers their tracks by deleting audit logs or creating new admin accounts with modified permissions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Disabling 2SV weakens the overall security posture of a Google Workspace environment. If successful, attackers can gain unauthorized access to user accounts, leading to data breaches, financial losses, and reputational damage. The number of affected users depends on the scope of the 2SV policy change and the extent of the attacker's access. Organizations in any sector relying on Google Workspace for email, file storage, or other services are vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM to detect instances of 2SV policy being disabled and tune for your environment.</li>
<li>Review Google Workspace audit logs (<code>filebeat-*</code>, <code>logs-google_workspace*</code>) for unexpected 2SV configuration changes.</li>
<li>Implement the security best practices outlined by Google: <a href="https://support.google.com/a/answer/7587183">https://support.google.com/a/answer/7587183</a></li>
<li>Monitor <code>user.name</code> or <code>source.user.email</code> in the alert and filter <code>event.dataset</code> for <code>google_workspace.login</code> and aggregate by <code>user.name</code>, <code>event.action</code> to identify impacted users and authentication events.</li>
<li>Reduce the <code>var.interval</code> in the Google Workspace Filebeat module to 10 minutes (10m) to decrease the risk of missed events.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>google-workspace</category><category>2sv</category><category>persistence</category></item></channel></rss>