Adversaries are deploying virtual machines (VMs) for cryptocurrency mining and launching phishing attacks by using OAuth applications as an automation tool, according to a warning from Microsoft.
The Microsoft Threat Intelligence team said in an analysis that the threat actors infiltrate user accounts in order to create, alter, and grant high privileges to OAuth applications, which they can then use to cover up malicious activity.
The misuse of OAuth also allows threat actors to keep access to apps even after they lose access to the originally compromised account, according to the Microsoft Threat Intelligence team.
Instead of using authentication, OAuth, or open authorization, is a framework for delegation and authorization that enables apps to safely retrieve data from other websites without requiring passwords.
According to Microsoft's attack details, threat actors have been seen attacking weakly secured accounts with the ability to create or modify OAuth applications through phishing or password-spraying attacks.
Storm-1283 is one such enemy that has used a hacked user account to develop an OAuth application and set up virtual machines for mining cryptocurrency. In order to accomplish the same objectives, the attackers also added an additional set of credentials to already-existing OAuth applications that they had access to.
In a different incident, an unidentified actor gained access to user accounts and made OAuth applications in order to continue persistence and send email phishing attacks that take advantage of adversary-in-the-middle (AiTM) phishing kits to steal session cookies from their victims and get around authentication safeguards.
Organizations should implement conditional access controls, frequently audit apps and permissions, and enforce multi-factor authentication (MFA) in order to reduce the risks associated with these kinds of attacks.
