Threat actors are abusing organizations' weak authentication practices to create and exploit OAuth applications, often for financial gain, in a string of attacks that include various vectors, including cryptomining, phishing, and password spraying.
The attackers also leverage the OAuth authentication standard to maintain access to applications even if they lose access to the initially compromised account, they said.
The researchers describe several attacks that abused OAuth in novel ways.
In most cases, a compromised account did not have multifactor authentication enabled, making it an easy target for attackers that used tactics like credential stuffing, phishing, and reverse proxy phishing to gain access to an account for malicious purposes.
Using and Abusing OAuth Microsoft Threat Intelligence researchers observed three specific attack types - cryptomining, business email compromise/phishing, and password spraying/spamming - that abused OAuth to conduct malicious activity in various ways.
In one vector employed by the threat actor that Microsoft tracks as Storm-1283, attackers used a compromised Azure user account to create an OAuth application and deploy virtual machines for cryptomining.
Targeted organizations incurred compute fees ranging from $10,000 to $1.5 million from the malicious activity, in which the attackers returned to the account to deploy more cryptomining VMs after setting up the initial attack.
Attackers also compromised user accounts to create OAuth applications for BEC and phishing attacks, with the researchers observing a threat actor compromising user accounts and creating OAuth applications to maintain persistence and launch email phishing activity.
In this vector, the attacker used an adversary-in-the-middle phishing kit to send a significant number of emails with varying subject lines and URLs to target user accounts in multiple organizations with a malicious URL that leads to a proxy server facilitating a genuine authentication process.
If a user takes the bait and logs in, the threat actor then stole the token from the user's session cookie and later used it to perform session cookie replay activity.
In other cases, instead of BEC reconnaissance, the threat actor created multitenant OAuth applications following its replay of stolen session cookies, using the apps to maintain persistence, add new credentials, and then access the Microsoft Graph API resource to read emails or send phishing emails.
In a third unique attack, a threat actor that Microsoft tracks as Storm-1286 conducted large-scale spamming activity through password-spraying attacks to compromised user accounts.
The attackers compromised user accounts to create anywhere from one to three new OAuth applications in the targeted organization using Azure PowerShell or a Swagger Codegen-based client, granting consent to the applications that allowed control over the account mailbox, according to Microsoft Threat Intelligence.
From there, the attacker would send thousands of emails a day using the compromised user account and the organization domain.
MFA and Other Mitigations OAuth, in use since 2007, presents risk to organizations for various reasons, and there are a number of ways attackers can abuse it.
Security researchers have found flaws in its implementation that have exposed key online services platform such as Booking.com and others to attack.
Others have used malicious OAuth apps of their creation to compromise Microsoft Exchange servers.
A key step for organizations to reduce their attack surface when OAuth is in use is primarily by securing their identity infrastructure, according to Microsoft.
Another is enabling security defaults in deployed Microsoft applications, such as Azure Active Directory.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 13 Dec 2023 19:00:06 +0000