Hackers Abuse OAuth Applications to Automated Finacial Attacks

OAuth is an industry-standard protocol that allows third-party applications to access a user's data without exposing login credentials.
This standard protocol facilitates secure authorization and authentication, commonly used to access resources on websites or applications.
Cybersecurity researchers at Microsoft recently discovered that hackers actively abuse the OAuth applications to launch automated financial attacks.
Threat actors hijack user accounts to manipulate OAuth apps, granting high privileges for covert malicious actions.
This abuse allows sustained access, even if the initial account is lost.
Microsoft notes that attackers exploit weak authentication in phishing or password spraying to compromise accounts.
They then leverage OAuth apps for the following illicit activities as tracked by Microsoft for detection and prevention using Defender tools:-.
Storm-1283, which Microsoft tracks, exploited a compromised user account for cryptomining.
The actor signed in via VPN, created a matching OAuth app in Microsoft Entra ID, and added the secrets.
With an ownership role on Azure, 'Contributor' permissions were granted to the app.
The actor used LOB OAuth apps, deploying initial VMs and later expanding.
Microsoft detected a threat actor's actions, collaborated with Entra to block malicious OAuth apps, and alerted affected organizations.
In another incident, a threat actor compromised accounts, used OAuth for persistence, and launched phishing with an AiTM kit.
The kit stole session tokens, redirecting targets to a fake Microsoft sign-in page for token theft.
Microsoft confirmed risky sign-ins when compromised accounts were used from unfamiliar locations and uncommon user agents.
After the session cookie replay, the actor exploited the compromised account for BEC financial fraud by examining specific keywords in Outlook Web App attachments.
To persist and act maliciously, the threat actor created an OAuth app using the compromised account, adding new credentials under the compromised session.
Threat actors ditched BEC for 17,000 sneaky OAuth apps, using stolen cookies for persistence.
Accessed Microsoft Graph API to read/send emails, and also set up inbox rules with suspicious names to dodge detection.
Microsoft took down all apps found related to this campaign that spanned July-November 2023.


This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 13 Dec 2023 12:40:05 +0000


Cyber News related to Hackers Abuse OAuth Applications to Automated Finacial Attacks

Threat actors misuse OAuth applications to automate financially driven attacks - Threat actors are misusing OAuth applications as an automation tool in financially motivated attacks. Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious ...
11 months ago Microsoft.com
Hackers Abuse OAuth Applications to Automated Finacial Attacks - OAuth is an industry-standard protocol that allows third-party applications to access a user's data without exposing login credentials. This standard protocol facilitates secure authorization and authentication, commonly used to access resources on ...
11 months ago Cybersecuritynews.com
Attackers Target Microsoft Accounts to Weaponize OAuth Apps - Threat actors are abusing organizations' weak authentication practices to create and exploit OAuth applications, often for financial gain, in a string of attacks that include various vectors, including cryptomining, phishing, and password spraying. ...
11 months ago Darkreading.com
Data thieves abuse Microsoft's 'verified publisher' status The Register - Miscreants using malicious OAuth applications abused Microsoft's "Verified publisher" status to gain access to organizations' cloud environments, then steal data and pry into to users' mailboxes, calendars, and meetings. According to researchers with ...
1 year ago Packetstormsecurity.com
What Is OAuth 2.0? - Scope of Access: Before OAuth, the meal planning app might have access to data that the user did not actually wish to share. No Way to Revoke Access: Before OAuth, the user could not easily restrict or revoke the meal planning app's access to their ...
10 months ago Feeds.dzone.com
Attackers abuse OAuth apps to initiate large-scale cryptomining and spam campaigns - Attackers are compromising high-privilege Microsoft accounts and abusing OAuth applications to launch a variety of financially-motivated attacks. OAuth is an open standard authentication protocol that uses tokens to grant applications access to ...
11 months ago Helpnetsecurity.com
Microsoft Disables Verified Partner Accounts Used for OAuth Phishing - Microsoft has disabled multiple fraudulent, verified Microsoft Partner Network accounts for creating malicious OAuth applications that breached organizations cloud environments to steal email. In a joint announcement between Microsoft and Proofpoint, ...
1 year ago Bleepingcomputer.com
Latest Information Security and Hacking Incidents - User data security has grown critical in an era of digital transactions and networked apps. The misuse of OAuth applications is a serious danger that has recently attracted attention in the cybersecurity field. OAuth is a widely used authentication ...
11 months ago Cysecurity.news
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
11 months ago Esecurityplanet.com
What's new in the MSRC Report Abuse Portal and API - The Microsoft Security Response Center has always been at the forefront of addressing cyber threats, privacy issues, and abuse arising from Microsoft Online Services. Building on our commitment, we have introduced several key updates to the Report ...
4 months ago Msrc.microsoft.com
Money-grubbing crooks abuse OAuth apps for BEC, phishing The Register - Multiple miscreants are misusing OAuth to automate financially motivated cyber crimes - such as business email compromise, phishing, large-scale spamming campaigns - and deploying virtual machines to illicitly mine for cryptocurrencies, according to ...
11 months ago Go.theregister.com
Threat Actors Exploit Microsoft Verified Publisher Status to Abuse OAuth Privileges - Researchers from cybersecurity firm Proofpoint have discovered a new threat campaign involving malicious third-party OAuth apps that are used to infiltrate organizations cloud environments. Threat actors abused Microsofts Verified publisher status, ...
1 year ago Csoonline.com
Microsoft: OAuth apps used to automate BEC and cryptomining attacks - Microsoft warns that financially-motivated threat actors are using OAuth applications to automate BEC and phishing attacks, push spam, and deploy VMs for cryptomining. OAuth is an open standard for granting apps secure delegated access to server ...
11 months ago Bleepingcomputer.com
How Does Automated API Testing Differ from Manual API Testing: Unveiling the Advantages - Delve into automated versus manual API testing for efficient software delivery. See how automation speeds validation while manual testing provides human insight, ensuring comprehensive coverage for robust development. In the domain of software ...
9 months ago Hackread.com
How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
1 month ago Aws.amazon.com
Hackers Abused Microsoft's "Verified Publisher" OAuth Apps to Hack Corporate Email Accounts - Microsoft on Tuesday said it took steps to disable fake Microsoft Partner Network accounts that were used for creating malicious OAuth applications as part of a malicious campaign designed to breach organizations' cloud environments and steal email. ...
1 year ago Thehackernews.com
An Overview of OAuth Explaining the Basics of Open Authorization - OAuth is an open standard authorization framework that enables users to securely share account information with third-party services, such as Facebook and Google, without having to reveal their credentials. It was first released in 2007 for the ...
1 year ago Heimdalsecurity.com
Microsoft Shares New Guidance in the Wake of 'Midnight Blizzard' Cyberattack - Microsoft has released new guidance for organizations on how to protect against persistent nation-state attacks like the one disclosed a few days ago that infiltrated its own corporate email system. A key focus of the guidance is on what ...
9 months ago Darkreading.com
Microsoft reveals how hackers breached its Exchange Online accounts - Microsoft confirmed that the Russian Foreign Intelligence Service hacking group, which hacked into its executives' email accounts in November 2023, also breached other organizations as part of this malicious campaign. On January 12, 2024, Microsoft ...
9 months ago Bleepingcomputer.com
Web fuzzing: Everything you need to know - Web applications are attractive targets for criminal hackers eager to access the underlying data stored on an organization's site, and by extension, the company's internal network. Web fuzzing enables security teams - and malicious hackers - to ...
11 months ago Techtarget.com
Microsoft notifies UK customers affected by hackers abusing 'verified publisher' tag - Microsoft said it has notified customers impacted by a campaign that involved the abuse of the company's "Verified publisher" status to allow access to a victim's cloud environments. Accounts can gain verified publisher status when an app publisher ...
1 year ago Therecord.media
How Hackers Interrupted GTA 5 Online Gameplay on PC - Recently, a cyber-attack on Grand Theft Auto 5 Online on PC caused an interruption to thousands of players’ gameplays. The game was completely taken offline and players couldn’t even access the main gameplay menu. The attack caused an uproar ...
1 year ago Hackread.com
Attackers Abuse Google OAuth Endpoint to Hijack User Sessions - Attackers have been exploiting an undocumented Google OAuth endpoint to hijack user sessions and allow continuous access to Google services, even after a password reset. CloudSEK researchers learned of the zero-day exploit in October, when Prisma ...
10 months ago Darkreading.com
Microsoft disrupts credentials marketplace, warns of gift card fraud, OAuth abuse - After a relatively quiet final Patch Tuesday of 2023, Microsoft published warnings this week about the potential for gift card fraud and hackers abusing a popular authentication technology. Alongside the warnings, Microsoft said it recently used a ...
11 months ago Therecord.media
Microsoft: Legacy account hacked by Russian APT had no MFA - Microsoft said the legacy test tenant account hacked by Russian nation-state threat actors this month did not have MFA enabled. According to the initial disclosure, the account compromised was a legacy, non-production test tenant account that threat ...
9 months ago Techtarget.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)