Forensics , Fraud Management & Cybercrime , Fraud Risk Management
Proofpoint Update Describes the Fraud Tactics Prajeet Nair (@prajeetspeaks) • March 23, 2021The SolarWinds supply chain attackers manipulated OAuth app certificates to maintain persistence and access privileged resources including email, according to researchers at Proofpoint.
See Also: Top 50 Security Threats
OAuth is an open standard for authorization that allows a third-party application to obtain access to a cloud service. Based on its analysis of over 20 million cloud accounts in Europe and the U.S., Proofpoint concludes the SolarWinds attackers abused OAuth apps to lurk inside compromised cloud accounts.
"Any OAuth app that has broad access permissions is a potential security risk to your organization," the researchers note.
Researchers found that the SolarWinds-related attacks mainly targeted the U.S., Europe and Mexico.
In another recent development, Swiss cybersecurity firm Prodaft said Monday it had accessed several servers used by the SolarWinds supply chain attackers. A group it dubbed "SilverFish" conduced "extremely sophisticated" cyberattacks to perform reconnaissance and exfiltrate data from at least 4,720 targets, Prodaft said. Although U.S. authorities say the supply chain attack was part of a Russian cyber espionage operation, Prodaft stopped short of attributing the attack to a specific nation-state.
