Threat actors launched financially motivated attacks using automated phishing and password-spraying attacks to compromise user accounts that did not have strong authentication mechanisms and had permissions to create or modify OAuth apps, according to Microsoft Threat Intelligence.
In a blog post Dec. 12, Microsoft researchers said the threat actors misused the OAuth applications with high-privilege permissions to deploy virtual machines for cryptocurrency mining, establish persistence following business email compromises (BECs), and launch spamming activity using the targeted organization’s resources and domain name.
OAuth is well-known as an open standard for token-based authentication and authorization that lets applications get access to data and resources based on permissions set by a user. The Microsoft researchers said threat actors have been compromising user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious activity.
Top advice: watch the identity infrastructure
Microsoft highly recommend security teams secure the identity infrastructure among the mitigation steps. The researchers said the most common initial access vector observed in this attack was account compromise through credential stuffing, phishing and reverse proxy phishing. The compromised accounts did not have MFA enabled in most cases.
“Implementing security practices that strengthen account credentials such as enabling MFA reduces the chance of attack dramatically,” wrote the researchers.
Patrick Tiquet, vice president of security and architecture at Keeper Security, explained that most OAuth vulnerabilities happen because of improper implementation — and that’s why this type of project requires experienced engineers and extra time for code reviews.
However, Tiquet said that in most cases, OAuth gets implemented correctly and the vulnerabilities associated with improper implementation can just as easily be created by companies improperly implementing and storing traditional passwords.
“The advantages and disadvantages of using OAuth are based on how the new accounts are created,” said Tiquet. “Using Facebook, Twitter, Google or Apple to create an account on a third-party site using OAuth creates tokens that are used to sign-in, rather than a username and password with traditional authentication. One benefit to this is that the use of tokens protects credentials if that third-party service is breached. If the token is compromised, 2FA doesn’t help. We recommend using a unique password and MFA when and wherever possible.”
Emily Phelps, director at Cyware, said this threat reinforces the importance of MFA as a fundamental security practice. Phelps said although passwordless security has its own challenges, to move in that direction, cybersecurity would need to rethink trust models.
“While many are already doing this, it will become table stakes to prepare beyond authentication to also include continuous monitoring and action validation capabilities,” said Phelps. “While moving away from passwords as a primary form of authentication can be good for security, it means added measures must be in place to safeguard the alternatives effectively.”
