Microsoft cautions about rising risks: Cyber actors exploiting OAuth apps for unauthorized access & malicious activities. Stay vigilant! (IT World Canada)
Microsoft has highlighted a concerning trend where malicious actors are exploiting OAuth-based applications as an automated means of authentication, leading to potential security breaches. According to a recent blog post by the tech giant, threat actors are manipulating user accounts to manipulate OAuth applications, granting them significant privileges that can be abused to conceal malicious activities.
By compromising user accounts through tactics like phishing or password spraying, attackers gain access to accounts lacking robust authentication measures. Once inside, they target accounts with permissions to create or modify OAuth applications. Exploiting these applications with elevated permissions allows threat actors to engage in various nefarious activities, including deploying virtual machines for cryptocurrency mining, establishing persistence post-business email compromise, and initiating spamming operations using the victimized organization's resources and domain name.
To combat this growing threat, IT managers are advised to adopt several security measures. These include reinforcing account credentials by implementing multifactor authentication, thereby significantly reducing the vulnerability to attacks, as suggested by Microsoft. Additionally, enabling conditional risk-based access policies can thwart attacks utilizing stolen credentials. Continuous access evaluation, where available, should also be enabled in the environment. IT managers are further urged to activate all security defaults within identity platforms and conduct thorough audits of apps and consented permissions to ensure they only access necessary data and adhere to the principle of least privilege access.
In a detailed report, Microsoft outlined the actions of a specific threat actor, identified as Storm-1283 under their new naming classification. This group utilized a compromised user account to create an OAuth application, subsequently using it to deploy virtual machines for cryptocurrency mining. Leveraging the compromised account, the attacker logged in through a VPN, created a new single-tenant OAuth application within Microsoft Entra ID, giving it a name similar to the tenant domain name. The attacker then added a set of secrets to the application, allowing unauthorized access and exploitation of the system.
Microsoft's findings underscore the critical need for heightened security measures and vigilance against OAuth abuse to prevent such unauthorized access and potential security breaches.
