Microsoft warns that financially-motivated threat actors are using OAuth applications to automate BEC and phishing attacks, push spam, and deploy VMs for cryptomining.
OAuth is an open standard for granting apps secure delegated access to server resources based on user-defined permissions via token-based authentication and authorization without providing credentials.
Recent incidents investigated by Microsoft Threat Intelligence experts revealed that attackers mainly target user accounts that lack robust authentication mechanisms in phishing or password-spraying attacks, focusing on those with permissions to create or modify OAuth apps.
The hijacked accounts are then used to create new OAuth applications and grant them high privileges, allowing their malicious activity to remain hidden while ensuring continued access even if the original account is lost.
These high-privileged OAuth apps are utilized for a broad spectrum of illicit activities, including deploying virtual machines dedicated to cryptocurrency mining, securing continued access in Business Email Compromise attacks, and initiating spam campaigns that exploit the domain names of compromised organizations.
One notable instance involves a threat actor tracked as Storm-1283, who created an OAuth app to deploy cryptocurrency mining virtual machines.
The financial impact on targeted organizations ranged from $10,000 to $1.5 million, depending on the attack's duration.
Another threat actor exploited OAuth apps created using compromised accounts to maintain persistence and launch phishing campaigns using an adversary-in-the-middle phishing kit.
A third threat actor tracked as Storm-1286 hacked user accounts that weren't protected by multi-factor authentication in a series of password-spraying attacks.
The compromised accounts were then used to create new OAuth apps in the targeted organization, which enabled the attackers to send thousands of spam emails every day and, in some cases, months after the initial breach.
To defend against malicious actors misusing OAuth apps, Microsoft recommends using MFA to thwart credential stuffing and phishing attacks.
Security teams should also enable conditional access policies to block attacks that leverage stolen credentials, continuous access evaluation to automatically revoke user access based on risk triggers, and Azure Active Directory security defaults to ensure MFA is enabled and privileged activities are protected.
Phishing-as-a-service operation uses double theft to boost profits.
Windows 10 KB5033372 update released with Copilot for everyone, 20 changes.
UK and allies expose Russian FSB hacking group, sanction members.
Russian pleads guilty to running crypto-exchange used by ransomware gangs.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 12 Dec 2023 23:55:27 +0000