OAuth apps used in cryptocurrency mining, phishing campaigns, and BEC attacks
Pierluigi Paganini December 13, 2023
Microsoft warns that threat actors are using OAuth applications cryptocurrency mining campaigns and phishing attacks.
Threat actors are using OAuth applications such as an automation tool in cryptocurrency mining campaigns and other financially motivated attacks.
The attackers compromise user accounts to create, modify, and grant high privileges to OAuth applications to carry out malicious activity and maintain access to applications even if they lose access to the initially compromised account.
Microsoft Threat Intelligence also observed threat actors launching phishing or password spraying attacks to compromise user accounts that did not have strong authentication mechanisms and had permissions to create or modify OAuth applications.
“The threat actors misused the OAuth applications with high privilege permissions to deploy virtual machines (VMs) for cryptocurrency mining, establish persistence following business email compromise (BEC), and launch spamming activity using the targeted organization’s resources and domain name.” states Microsoft.
One of the threat actors that used compromised accounts to create OAuth applications is the Storm-1283 group. The compromised account allowed the attackers to create an OAuth application and deploy VMs as part of a cryptomining campaign.
“The compromised account allowed Storm-1283 to sign in via virtual private network (VPN), create a new single-tenant OAuth application in Microsoft Entra ID named similarly as the Microsoft Entra ID tenant domain name, and add a set of secrets to the application.” continues the report. “As the compromised account had an ownership role on an Azure subscription, the actor also granted ‘Contributor’ role permission for the application to one of the active subscriptions using the compromised account.”
The researchers observed the group using existing line-of-business (L ..
Support the originator by clicking the read the rest link below.
