Integrating a subject rights request tool with security and compliance solutions can help identify potential data conflicts more efficiently and with greater accuracy. Read More
Related Posts
Man pleads guilty to stealing $37 million in crypto from 571 victims
Man pleads guilty to stealing $37 million in crypto from 571 victims
A 21-year-old man from Indiana named Evan Frederick Light pleaded guilty to stealing $37,704,560 worth of cryptocurrency from 571 victims in a 2022 cyberattack. […] Read More
Hackers Abuse OAuth Applications to Launch Automated Financial Attacks
Hackers Abuse OAuth Applications to Launch Automated Financial Attacks
OAuth (Open Authorization) is an industry-standard protocol that allows third-party applications to access a user’s data without exposing login credentials.
This standard protocol facilitates secure authorization and authentication, commonly used to access resources on websites or applications.
Cybersecurity researchers at Microsoft recently discovered that hackers actively abuse the OAuth applications to launch automated financial attacks.
Hackers Abuse OAuth Applications
Threat actors hijack user accounts to manipulate OAuth apps, granting high privileges for covert malicious actions. This abuse allows sustained access, even if the initial account is lost.
Microsoft notes that attackers exploit weak authentication in phishing or password spraying to compromise accounts.
They then leverage OAuth apps for the following illicit activities as tracked by Microsoft for detection and prevention using Defender tools:-
Crypto mining
Persistence post-BEC
Spam
Storm-1283, which Microsoft tracks, exploited a compromised user account for cryptomining. The actor signed in via VPN, created a matching OAuth app in Microsoft Entra ID, and added the secrets.
With an ownership role on Azure, ‘Contributor’ permissions were granted to the app. The actor used LOB OAuth apps, deploying initial VMs and later expanding.
Organizations faced fees from 10,000 to 1.5 million USD. Storm-1283 aimed to prolong setup using a specific naming convention for VMs to evade detection.
Cryptocurrency mining attack chain (Source – Microsoft)
Monitor Azure logs for “Microsoft.Compute/virtualMachines/write” by OAuth apps, watching for the region or domain name patterns in naming conventions.
Microsoft detected a threat actor’s actions, collaborated with Entra to block malicious OAuth apps, and alerted affected organizations. In another incident, a threat actor compromised accounts, used OAuth for persistence, and launched phishing with an AiTM kit.
The kit stole session tokens, redirecting targets to a fake Microsoft sign-in page for token theft. Microsoft confirmed risky sign-ins when compromised accounts were used from unfamiliar locations and uncommon user agents.
After the session cookie replay, the actor exploited the compromised account for BEC financial fraud by examining specific keywords in Outlook Web App attachments.
This precedes attempts to manipulate payment details. To persist and act maliciously, the threat actor created an OAuth app using the compromised account, adding new credentials under the compromised session.
Attack chain for OAuth application misuse following BEC (Source – Microsoft)
Threat actors ditched BEC for 17,000 sneaky OAuth apps, using stolen cookies for persistence. Accessed Microsoft Graph API to read/send emails, and also set up inbox rules with suspicious names to dodge detection.
Besides this, they sent 927,000 phishing emails as well. However, Microsoft took down all apps found related to this campaign that spanned July-November 2023.
Attack chain for OAuth application misuse for phishing (Source – Microsoft)
Recommendations
Here below, we have mentioned all the recommendations offered by the security researchers:-
Mitigate credential guessing attack risks
Enable conditional access policies
Ensure continuous access evaluation is enabled
Enable security defaults
Enable Microsoft Defender automatic attack disruption
Audit apps and consented permissions
Secure Azure Cloud resources
The post Hackers Abuse OAuth Applications to Launch Automated Financial Attacks appeared first on Cyber Security News.
Cyber Security News