Hackers abusing OAuth to automate cyber attacks, says Microsoft

Threat actors are misusing OAuth-based applications as an automation tool for authentication, says Microsoft.

“Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious activity,” the company said in a blog this week. “The misuse of OAuth also enables threat actors to maintain access to applications even if they lose access to the initially compromised account.”

Threat actors are launching phishing or password-spraying attacks to compromise user accounts that don’t have strong authentication mechanisms and have permissions to create or modify OAuth applications. The attackers misuse the OAuth applications with high privilege permissions to deploy virtual machines (VMs) for cryptocurrency mining, establish persistence following business email compromise (BEC), and launch spamming activity using the targeted organization’s resources and domain name.

IT managers should take the following steps to mitigate against OAuth abuse:
— implement security practices that strengthen account credentials, such as enabling multifactor authentication. That dramatically reduces the chance of attack, says Microsoft;
— to protect against attacks that leverage stolen credentials, enable conditional risk-based access policies;
— ensure continuous access evaluation is enabled if available in your environment;
— enable all security defaults in identity platforms;
— audit all apps and consented permissions to ensure applications are only accessing necessary data and adhering to the principles of least privilege access.

The report gives an example of what one threat actor, which Microsoft dubs Storm-1283, is doing. (Under Microsoft’s new naming taxonomy, groups dubbed ‘Storm’ are newly discovered or under development.)

Storm-1283 used a compromised user account to create an OAuth application and deploy VMs for cryptomining. The compromised account allowed the attacker to sign in through a VPN, create a new single-tenant OAuth application in Microsoft Entra ID named similarly to the Microsoft Entra ID tenant domain name, and add a set of secrets to the application.

A diagram of Storm-1283's attack chain involving the creation of VMs for cryptocurrency mining.
A diagram of Storm-1283’s attack chain involving the creation of VMs for cryptocurrency mining. Microsoft graphic

As the compromised account had an ownership role on an Azure subscription, the actor also granted Contributor’ role permission for the application to one of the active subscriptions using the compromised account.

The attacker also leveraged existing line-of-business OAuth applications that the compromised user account had access to in the tenant by adding an additional set of credentials to those applications, the report says. The actor initially deployed a small set of VMs in the same compromised subscriptions using one of the existing applications, and initiated the cryptomining activity. The actor then later returned to deploy more VMs using the new application. Targeted organizations incurred compute fees ranging from US$10,000 to US$1.5 million from the attacks, depending on the actor’s activity and duration of the attack.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs