Researchers reported a new hybrid cloud campaign — dubbed OiVaVoii — that uses hijacked Office 365 users and a sophisticated combination of malicious OAuth apps and targeted phishing threats to attack many C-level executives, including CEOs, general managers, former board members and the presidents of companies.
In a Jan. 28 blog post, Proofpoint researchers said starting on Jan. 18, they observed account takeovers by malicious OAuth apps stealing OAuth tokens and via credential theft. The researchers said there are other risks after the account takeovers, mainly data leakage, continued phishing, lateral movement, brand abuse and malware distribution.
The OiVaVoii campaign serves as another example of attackers seeking out vulnerabilities that exist within the evolving state of hybrid/remote work, said Adam Gavish, co-founder and CEO of DoControl. Gavish said it’s also yet another example of an established trusted third-party becoming compromised, in this case with OAuth.
“The fraudulent permissions requests from the malicious apps that were created appeared to be completely legitimate, blurring the lines between what’s spoofed and what’s actually real,” Gavish said. “This attack also reminds us that the C-suite is a highly attractive target, considering the access they have to sensitive company data. The permission scopes within these malicious applications provided read/write access, enabling the exfiltrating of sensitive files from these executive personas with relative ease.”
Aaron Turner, vice president of SaaS posture at Vectra, added that Proofpoint’s research shows yet another campaign that security researchers can trace back to tactics, techniques, and procedures that were first seen at scale in March 2020. The National Security Agency developed guidance in December 2020 to protect against these types of attacks, noted Turner.
“The bottom line for organizations is that the more-complex their digital identity supply chain is, the more problems they're going to have with authentication attacks,” Turner said. “In the engagements that Siriux had prior to our acquisition by Vectra, we observed authentication abuses that did everything from cloning administrator's MFA tokens via iOS and Android attacks to theft of Duo and Okta API keys to print golden SAML tickets. The effects of these attacks ranged from gaining access to CEO/CFO mailboxes and data stores to distributing ransomware through SharePoint and OneDrive.”