Hackers abusing OAuth to automate cyber attacks, says Microsoft

Share post:

Threat actors are misusing OAuth-based applications as an automation tool for authentication, says Microsoft.

“Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious activity,” the company said in a blog this week. “The misuse of OAuth also enables threat actors to maintain access to applications even if they lose access to the initially compromised account.”

Threat actors are launching phishing or password-spraying attacks to compromise user accounts that don’t have strong authentication mechanisms and have permissions to create or modify OAuth applications. The attackers misuse the OAuth applications with high privilege permissions to deploy virtual machines (VMs) for cryptocurrency mining, establish persistence following business email compromise (BEC), and launch spamming activity using the targeted organization’s resources and domain name.

IT managers should take the following steps to mitigate against OAuth abuse:
— implement security practices that strengthen account credentials, such as enabling multifactor authentication. That dramatically reduces the chance of attack, says Microsoft;
— to protect against attacks that leverage stolen credentials, enable conditional risk-based access policies;
— ensure continuous access evaluation is enabled if available in your environment;
— enable all security defaults in identity platforms;
— audit all apps and consented permissions to ensure applications are only accessing necessary data and adhering to the principles of least privilege access.

The report gives an example of what one threat actor, which Microsoft dubs Storm-1283, is doing. (Under Microsoft’s new naming taxonomy, groups dubbed ‘Storm’ are newly discovered or under development.)

Storm-1283 used a compromised user account to create an OAuth application and deploy VMs for cryptomining. The compromised account allowed the attacker to sign in through a VPN, create a new single-tenant OAuth application in Microsoft Entra ID named similarly to the Microsoft Entra ID tenant domain name, and add a set of secrets to the application.

A diagram of Storm-1283's attack chain involving the creation of VMs for cryptocurrency mining.
A diagram of Storm-1283’s attack chain involving the creation of VMs for cryptocurrency mining. Microsoft graphic

As the compromised account had an ownership role on an Azure subscription, the actor also granted Contributor’ role permission for the application to one of the active subscriptions using the compromised account.

The attacker also leveraged existing line-of-business OAuth applications that the compromised user account had access to in the tenant by adding an additional set of credentials to those applications, the report says. The actor initially deployed a small set of VMs in the same compromised subscriptions using one of the existing applications, and initiated the cryptomining activity. The actor then later returned to deploy more VMs using the new application. Targeted organizations incurred compute fees ranging from US$10,000 to US$1.5 million from the attacks, depending on the actor’s activity and duration of the attack.

The post Hackers abusing OAuth to automate cyber attacks, says Microsoft first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

Costs from Global CrowdStrike Outage Could Exceed $1 Billion

The global tech outage caused by a faulty CrowdStrike update on Friday could result in damages exceeding $1...

CrowdStrike update: Warnings from national cyber agencies, repair options from Microsoft

National cybersecurity agencies in the U.S., Canada, the U.K. and Australia issued security warnings about the faulty CrowdStrike...

CrowdStrike update causes global IT outages, fix is available

Some airlines, banks and government services around the world have been affected by a faulty software update for...

Charges dismissed in SolarWinds hacking case

A judge has dismissed most of the Securities and Exchange Commission's (SEC) fraud charges against SolarWinds related to...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways