OAuth (Open Authorization) is an industry-standard protocol that allows third-party applications to access a user’s data without exposing login credentials.
This standard protocol facilitates secure authorization and authentication, commonly used to access resources on websites or applications.
Cybersecurity researchers at Microsoft recently discovered that hackers actively abuse the OAuth applications to launch automated financial attacks.
Hackers Abuse OAuth Applications
Threat actors hijack user accounts to manipulate OAuth apps, granting high privileges for covert malicious actions. This abuse allows sustained access, even if the initial account is lost.
Microsoft notes that attackers exploit weak authentication in phishing or password spraying to compromise accounts.
They then leverage OAuth apps for the following illicit activities as tracked by Microsoft for detection and prevention using Defender tools:-
- Crypto mining
- Persistence post-BEC
- Spam
Storm-1283, which Microsoft tracks, exploited a compromised user account for cryptomining. The actor signed in via VPN, created a matching OAuth app in Microsoft Entra ID, and added the secrets.
With an ownership role on Azure, ‘Contributor’ permissions were granted to the app. The actor used LOB OAuth apps, deploying initial VMs and later expanding.
Organizations faced fees from 10,000 to 1.5 million USD. Storm-1283 aimed to prolong setup using a specific naming convention for VMs to evade detection.
Monitor Azure logs for “Microsoft.Compute/virtualMachines/write” by OAuth apps, watching for the region or domain name patterns in naming conventions.
Microsoft detected a threat actor’s actions, collaborated with Entra to block malicious OAuth apps, and alerted affected organizations. In another incident, a threat actor compromised accounts, used OAuth for persistence, and launched phishing with an AiTM kit.
The kit stole session tokens, redirecting targets to a fake Microsoft sign-in page for token theft. Microsoft confirmed risky sign-ins when compromised accounts were used from unfamiliar locations and uncommon user agents.
After the session cookie replay, the actor exploited the compromised account for BEC financial fraud by examining specific keywords in Outlook Web App attachments.
This precedes attempts to manipulate payment details. To persist and act maliciously, the threat actor created an OAuth app using the compromised account, adding new credentials under the compromised session.
Threat actors ditched BEC for 17,000 sneaky OAuth apps, using stolen cookies for persistence. Accessed Microsoft Graph API to read/send emails, and also set up inbox rules with suspicious names to dodge detection.
Besides this, they sent 927,000 phishing emails as well. However, Microsoft took down all apps found related to this campaign that spanned July-November 2023.
Recommendations
Here below, we have mentioned all the recommendations offered by the security researchers:-
- Mitigate credential guessing attack risks
- Enable conditional access policies
- Ensure continuous access evaluation is enabled
- Enable security defaults
- Enable Microsoft Defender automatic attack disruption
- Audit apps and consented permissions
- Secure Azure Cloud resources