Hackers are increasingly exploiting high-privilege Microsoft accounts and misusing OAuth applications for financially-motivated attacks [3]. This poses a significant threat to organizations, as attackers can hide their malicious activity and maintain access to applications even if they lose access to the compromised account [10].
Description
Adversaries have been observed compromising poorly secured accounts with permissions to create, modify [2] [3] [6] [8] [9] [10], and grant high privileges to OAuth applications [1] [2] [3] [7] [9] [10]. They leverage these applications to deploy virtual machines for cryptocurrency mining [2] [3] [6], establish persistence [3] [5] [9] [10], and launch phishing attacks [2] [6] [7] [8] [9] [10]. By creating OAuth applications [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], they can send phishing emails and gain persistence. These applications allow them to manipulate inbox rules, read or send phishing emails via Microsoft Graph API [3], and add new credentials. The attackers can hide their malicious activity and maintain access to the applications even if they lose access to the compromised account [10]. In some instances [10], attackers have used these applications for cryptocurrency mining [9] [10], resulting in significant financial losses for targeted organizations [10].
One specific adversary, Storm-1283 [2] [6] [8] [9], has used a compromised user account to create an OAuth application and deploy virtual machines for cryptomining [2]. Microsoft has detected and neutralized these attacks [5], notifying affected organizations and providing recommendations for further protection [5].
To mitigate these risks [1] [2] [6] [10], organizations are advised to protect their accounts with multi-factor authentication [10], enable conditional access policies [2] [6] [7] [8] [10], and regularly audit apps and permissions [2] [6] [7] [10].
Conclusion
The exploitation of OAuth applications by hackers for cryptocurrency mining and phishing attacks poses a serious threat to organizations. The ability to maintain access to applications even after losing access to compromised accounts allows attackers to continue their malicious activities undetected. To counter these threats [7], organizations should implement multi-factor authentication, enable conditional access policies [2] [6] [7] [8] [10], and regularly audit apps and consented permissions [2] [6] [7] [10]. Strengthening authentication mechanisms [1] [8] [9], monitoring unusual activities [1], and regularly auditing OAuth applications are crucial steps in mitigating these risks.
References
[1] https://securityonline.info/phishing-for-profits-attackers-mine-crypto-spam-through-oauth-apps/
[2] https://owasp.or.id/2023/12/13/microsoft-warns-of-hackers-exploiting-oauth-for-cryptocurrency-mining-and-phishing/
[3] https://cyber.vumetric.com/security-news/2023/12/13/attackers-abuse-oauth-apps-to-initiate-large-scale-cryptomining-and-spam-campaigns/
[4] https://www.claytoncountyregister.com/news2/microsoft-issues-major-crypto-warning/908137/
[5] https://www.bankinfosecurity.com/microsoft-warns-oauth-attacks-tied-to-cryptomining-a-23867
[6] https://thehackernews.com/2023/12/microsoft-warns-of-hackers-exploiting.html
[7] https://www.claytoncountyregister.com/news2/microsoft-warns-of-hackers-exploiting-oauth-for-cryptocurrency-mining-and-phishing/906682/
[8] https://ciso2ciso.com/microsoft-oauth-apps-used-to-automate-bec-and-cryptomining-attacks-source-www-bleepingcomputer-com/
[9] https://securityaffairs.com/155756/hacking/oauth-applications-abuse-attacks.html
[10] https://www.helpnetsecurity.com/2023/12/13/abusing-oauth-applications/
