Microsoft reports abuse of OAuth for crypto mining and phishing
Exploiting OAuth for illicit activities: attackers adapt to emerging technologies
Microsoft has discovered that criminals are using OAuth infrastructure to conduct phishing and cryptocurrency mining attacks, leveraging compromised user accounts to create or alter OAuth applications. Microsoft suggests implementing multi-factor authentication and periodic checks to prevent such threats.
Microsoft has detected new criminal campaigns leveraging OAuth infrastructure to automate the deployment of virtual machines (VMs) in cryptocurrency mining and conduct phishing attacks. Attackers gain access to compromised accounts to create or modify OAuth applications, giving them high permissions to use in illicit activities. This method also allows criminals to maintain access to applications even if they lose control of the originally compromised account.
The use of OAuth in cryptocurrency mining
A particular malicious entity, identified as Storm-1283, was detected exploiting a compromised user account to create an OAuth application and deploy virtual machines dedicated to digital mining. The attackers also altered pre-existing OAuth applications tied to the account, adding credentials to it to achieve the same goals.
Phishing attacks using OAuth applications
An as yet unidentified malicious actor compromised multiple user accounts, subsequently using OAuth applications created for login persistence and to carry out phishing email attacks. "Adversary-in-the-middle" (AiTM) phishing kits are used with the aim of stealing session cookies and evading authentication measures. These actions can result in email financial fraud searches focusing on attachments containing keywords such as “payment” and “invoice.”
Prevention recommendations
To combat the risks associated with these threats, Microsoft suggests that organizations implement multi-factor authentication (MFA), activate conditional access policies and carry out periodic reviews of apps and granted permissions. Such practices dramatically reduce the chances that phishing or cryptocurrency mining attacks via OAuth will be successful.
Follow us on Facebook for more pills like this12/13/2023 12:17
Marco Verro