OAuth is an industry-standard protocol that allows third-party applications to access a user's data without exposing login credentials.
This standard protocol facilitates secure authorization and authentication, commonly used to access resources on websites or applications.
Cybersecurity researchers at Microsoft recently discovered that hackers actively abuse the OAuth applications to launch automated financial attacks.
Threat actors hijack user accounts to manipulate OAuth apps, granting high privileges for covert malicious actions.
This abuse allows sustained access, even if the initial account is lost.
Microsoft notes that attackers exploit weak authentication in phishing or password spraying to compromise accounts.
They then leverage OAuth apps for the following illicit activities as tracked by Microsoft for detection and prevention using Defender tools:-.
Storm-1283, which Microsoft tracks, exploited a compromised user account for cryptomining.
The actor signed in via VPN, created a matching OAuth app in Microsoft Entra ID, and added the secrets.
With an ownership role on Azure, 'Contributor' permissions were granted to the app.
The actor used LOB OAuth apps, deploying initial VMs and later expanding.
Microsoft detected a threat actor's actions, collaborated with Entra to block malicious OAuth apps, and alerted affected organizations.
In another incident, a threat actor compromised accounts, used OAuth for persistence, and launched phishing with an AiTM kit.
The kit stole session tokens, redirecting targets to a fake Microsoft sign-in page for token theft.
Microsoft confirmed risky sign-ins when compromised accounts were used from unfamiliar locations and uncommon user agents.
After the session cookie replay, the actor exploited the compromised account for BEC financial fraud by examining specific keywords in Outlook Web App attachments.
To persist and act maliciously, the threat actor created an OAuth app using the compromised account, adding new credentials under the compromised session.
Threat actors ditched BEC for 17,000 sneaky OAuth apps, using stolen cookies for persistence.
Accessed Microsoft Graph API to read/send emails, and also set up inbox rules with suspicious names to dodge detection.
Microsoft took down all apps found related to this campaign that spanned July-November 2023.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 13 Dec 2023 12:40:05 +0000