Attackers abuse OAuth apps to initiate large-scale cryptomining and spam campaigns

Attackers are compromising high-privilege Microsoft accounts and abusing OAuth applications to launch a variety of financially-motivated attacks.
OAuth is an open standard authentication protocol that uses tokens to grant applications access to server resources without having to use login credentials.
Microsoft Threat Intelligence has observed a number of attacks that started with attackers compromising poorly secured accounts that have permissions to create, modify, and grant high privileges to OAuth applications.
They can then misuse these applications to hide malicious activity and maintain access to the apps even if they lose access to the initially compromised account, the analysts noted.
In one of the detected attacks, the attackers generated an OAuth application to deploy virtual machines used for cryptocurrency mining.
OAuth application for cryptocurrency mining attack chain.
In another attack, after having created OAuth applications, the attackers started sending out phishing emails by leveraging an adversary-in-the-middle phishing kit.
This allowed them to steal the user's session cookie token and perform session cookie replay activity.
In some instances, the attackers used the compromised accounts to find emails mentioning payments or invoices, so they can insert themselves in the email conversation and redirect payments to their own banking accounts.
Other instances saw the attackers creating multitenant OAuth applications to gain persistence, adding new credentials, creating inbox rules to move emails to the junk folder and mark them as read, and reading emails or sending phishing emails via Microsoft Graph API. Attack chain for OAuth application misuse for phishing.
While in these attacks OAuth apps are leveraged to gain persistence to compromised accounts and to extend the attacks, attackers have also been known to use seemingly verified third-party OAuth apps to gain access to O365 email accounts.
Microsoft's threat analysts have shared detections and hunting guidance to help defenders and threat hunters check for suspicious activity related to these latest attacks.
They also listed mitigation steps organizations can take to protect themselves, which include: protecting accounts with multi-factor authentication, enabling conditional access policies, enabling Microsoft Defender automatic attack disruption, auditing apps and permissions, and more.


This Cyber News was published on www.helpnetsecurity.com. Publication date: Wed, 13 Dec 2023 14:13:05 +0000


Cyber News related to Attackers abuse OAuth apps to initiate large-scale cryptomining and spam campaigns

Threat actors misuse OAuth applications to automate financially driven attacks - Threat actors are misusing OAuth applications as an automation tool in financially motivated attacks. Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious ...
1 year ago Microsoft.com
Attackers Target Microsoft Accounts to Weaponize OAuth Apps - Threat actors are abusing organizations' weak authentication practices to create and exploit OAuth applications, often for financial gain, in a string of attacks that include various vectors, including cryptomining, phishing, and password spraying. ...
1 year ago Darkreading.com
Microsoft: OAuth apps used to automate BEC and cryptomining attacks - Microsoft warns that financially-motivated threat actors are using OAuth applications to automate BEC and phishing attacks, push spam, and deploy VMs for cryptomining. OAuth is an open standard for granting apps secure delegated access to server ...
1 year ago Bleepingcomputer.com
Attackers abuse OAuth apps to initiate large-scale cryptomining and spam campaigns - Attackers are compromising high-privilege Microsoft accounts and abusing OAuth applications to launch a variety of financially-motivated attacks. OAuth is an open standard authentication protocol that uses tokens to grant applications access to ...
1 year ago Helpnetsecurity.com
Cybersecurity Awareness Campaigns in Education - Cybersecurity awareness campaigns in education are essential to protect digital systems and information. The target audience for cybersecurity awareness campaigns in education includes students, teachers, administrators, and other staff members. ...
1 year ago Securityzap.com
RedTail Malware Abuses Palo Alto Flaw in Latest Cryptomining Campaign - Hackers with possible ties to the notorious North Korea-linked Lazarus Group are exploiting a recent critical vulnerability in Palo Alto Network's PAN-OS software to run a sophisticated cryptomining operation that likely has nation-state backing. In ...
6 months ago Securityboulevard.com
Hackers Abuse OAuth Applications to Automated Finacial Attacks - OAuth is an industry-standard protocol that allows third-party applications to access a user's data without exposing login credentials. This standard protocol facilitates secure authorization and authentication, commonly used to access resources on ...
1 year ago Cybersecuritynews.com
Data thieves abuse Microsoft's 'verified publisher' status The Register - Miscreants using malicious OAuth applications abused Microsoft's "Verified publisher" status to gain access to organizations' cloud environments, then steal data and pry into to users' mailboxes, calendars, and meetings. According to researchers with ...
1 year ago Packetstormsecurity.com
Microsoft Disables Verified Partner Accounts Used for OAuth Phishing - Microsoft has disabled multiple fraudulent, verified Microsoft Partner Network accounts for creating malicious OAuth applications that breached organizations cloud environments to steal email. In a joint announcement between Microsoft and Proofpoint, ...
1 year ago Bleepingcomputer.com
Money-grubbing crooks abuse OAuth apps for BEC, phishing The Register - Multiple miscreants are misusing OAuth to automate financially motivated cyber crimes - such as business email compromise, phishing, large-scale spamming campaigns - and deploying virtual machines to illicitly mine for cryptocurrencies, according to ...
1 year ago Go.theregister.com
What Is OAuth 2.0? - Scope of Access: Before OAuth, the meal planning app might have access to data that the user did not actually wish to share. No Way to Revoke Access: Before OAuth, the user could not easily restrict or revoke the meal planning app's access to their ...
11 months ago Feeds.dzone.com
Hackers Abused Microsoft's "Verified Publisher" OAuth Apps to Hack Corporate Email Accounts - Microsoft on Tuesday said it took steps to disable fake Microsoft Partner Network accounts that were used for creating malicious OAuth applications as part of a malicious campaign designed to breach organizations' cloud environments and steal email. ...
1 year ago Thehackernews.com
Threat Actors Exploit Microsoft Verified Publisher Status to Abuse OAuth Privileges - Researchers from cybersecurity firm Proofpoint have discovered a new threat campaign involving malicious third-party OAuth apps that are used to infiltrate organizations cloud environments. Threat actors abused Microsofts Verified publisher status, ...
1 year ago Csoonline.com
'Wall of Flippers' detects Flipper Zero Bluetooth spam attacks - A new Python project called 'Wall of Flippers' detects Bluetooth spam attacks launched by Flipper Zero and Android devices. By detecting the attacks and identifying their origin, users can take targeted protection measures, and culprits can ...
11 months ago Bleepingcomputer.com
What's new in the MSRC Report Abuse Portal and API - The Microsoft Security Response Center has always been at the forefront of addressing cyber threats, privacy issues, and abuse arising from Microsoft Online Services. Building on our commitment, we have introduced several key updates to the Report ...
5 months ago Msrc.microsoft.com
ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store - On Android devices, one of the apps analyzed by researchers has more than 100,000 downloads, tracks, and shares location data with ByteDance and Amazon, etc. ChatGPT, the AI software, has already taken the Internet by storm, and that is why ...
1 year ago Hackread.com
Latest Information Security and Hacking Incidents - User data security has grown critical in an era of digital transactions and networked apps. The misuse of OAuth applications is a serious danger that has recently attracted attention in the cybersecurity field. OAuth is a widely used authentication ...
1 year ago Cysecurity.news
Data Insecurity: Experts Sound the Alarm on 4 Apps Putting User Privacy at Risk - Even though many of us rely on apps to entertain us, guide us, manage our exercise, and connect with family and friends, they are notoriously hard to trust. In an age when technology is constantly evolving, it is almost impossible to tell if a ...
1 year ago Cysecurity.news
Google Online Security Blog: I/O 2024: What's new in Android security and privacy - As their tactics evolve in sophistication and scale, we continually adapt and enhance our advanced security features and AI-powered protections to help keep Android users safe. Today, we're announcing more new fraud and scam protection features ...
7 months ago Security.googleblog.com
Microsoft Shares New Guidance in the Wake of 'Midnight Blizzard' Cyberattack - Microsoft has released new guidance for organizations on how to protect against persistent nation-state attacks like the one disclosed a few days ago that infiltrated its own corporate email system. A key focus of the guidance is on what ...
10 months ago Darkreading.com
Halting Hackers on the Holidays 2023 Part II: The Apps You Trust - Most free flashlight apps are creepware - also known as malware that spies on you and your online behavior and could pass along information to others. The problem doesn't begin and end with flashlight apps, though. Many seemingly innocuous apps that ...
1 year ago Cyberdefensemagazine.com
An Overview of OAuth Explaining the Basics of Open Authorization - OAuth is an open standard authorization framework that enables users to securely share account information with third-party services, such as Facebook and Google, without having to reveal their credentials. It was first released in 2007 for the ...
1 year ago Heimdalsecurity.com
Microsoft: Legacy account hacked by Russian APT had no MFA - Microsoft said the legacy test tenant account hacked by Russian nation-state threat actors this month did not have MFA enabled. According to the initial disclosure, the account compromised was a legacy, non-production test tenant account that threat ...
10 months ago Techtarget.com
Flipper Zero can now spam Android, Windows users with Bluetooth alerts - A custom Flipper Zero firmware called 'Xtreme' has added a new feature to perform Bluetooth spam attacks on Android and Windows devices. A security researcher previously demonstrated the technique against Apple iOS devices, inspiring others to ...
1 year ago Bleepingcomputer.com
10 Key Things You Need to Know About the Sophisticated Vastflux Ad Fraud Scheme - At the end of April 2015, researchers from Distil Networks reported the discovery of a sophisticated ad fraud network, Vastflux, which had been around since at least January 2014. The network used sophisticated malware targeting both iOS and Android ...
1 year ago Securityweek.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)