Microsoft representatives have warned that adversaries use OAuth applications as an automation tool to deploy virtual machines (VMs) for cryptocurrency mining and launch phishing attacks. "Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious activity," the Microsoft Threat Intelligence team said in an analysis. The misuse of OAuth also enables threat actors to maintain access to applications even if they lose access to the initially compromised account.[1]
OAuth, short for Open Authorization, is an authorization and delegation framework (as opposed to authentication) that allows applications to securely access information from other websites without handing over passwords. In the attacks detailed by Microsoft, threat actors have been observed launching phishing or password-spraying attacks against poorly secured accounts with permission to create or modify OAuth applications.
One such adversary is Storm-1283, which has leveraged a compromised user account to create an OAuth application and deploy VMs for crypto-mining. The attackers modified existing OAuth applications to the account they accessed by adding an extra set of credentials to facilitate the same goals. In another instance, an unidentified actor compromised user accounts. He created OAuth applications to maintain persistence and to launch email phishing attacks that employ an Adversary-in-the-Middle (AiTM) phishing kit to steal session cookies from their targets and bypass authentication measures.
"In some cases, following the stolen session cookie replay activity, the actor leveraged the compromised user account to perform BEC financial fraud reconnaissance by opening email attachments in Microsoft Outlook Web Application (OWA) that contain specific keywords such as 'payment' and 'invoice," a Microsoft representative said.
Other scenarios detected by the tech giant following the theft of session cookies involve creating OAuth applications to distribute phishing emails and conduct large-scale spamming activity. Microsoft is tracking the latter as Storm-1286. To mitigate the risks associated with such attacks, it's recommended that organizations enforce multi-factor authentication (MFA), enable conditional access policies, and routinely audit apps and consented permissions.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://thehackernews.com/2023/12/microsoft-warns-of-hackers-exploiting.html
Comments