Cybersecurity company Obsidian recently discovered a successful ransomware attack on Sharepoint Online (part of Microsoft 365). Interestingly, the attack bypassed the usual method of compromising an endpoint and targeted a Microsoft Global SaaS admin account instead.
Know more about the attack
After the attack, Obsidian investigated the incident using their product and research team. Although they didn’t disclose the victim’s identity, they suspect that the attacker was the group known as 0mega.
Source: Darkfeed
The attacker gained access and created a new user in the Active Directory (AD) called Omega, granting it elevated privileges such as
- Global Administrator,
- SharePoint Administrator,
- Exchange Administrator,
- Teams Administrator and site collection administrator capabilities for multiple Sharepoint sites and collections.
Additionally, the attacker removed over 200 existing administrators within a short time frame.
What’s the real motive?
In this case, the attacker focused on stealing files rather than encrypting them. They exfiltrated hundreds of files and then uploaded numerous PREVENT-LEAKAGE.txt files.
These files served as a warning to the victim about the theft. They provided a means of communication with the attacker to negotiate a payment to prevent the publication of the stolen details online.
Obsidian believes that this type of attack may become more common in the future. They expect the trend to grow because many companies have invested heavily in endpoint security products but have yet to establish robust SaaS security programs.
The attacker’s strategy of solely stealing data instead of encrypting it has advantages: it avoids the risk of failed decryption attempts and is easier to manage.
The Omega group, identified by the created account name, other indicators, and infrastructure used, is suspected to be behind this attack. This group first gained attention in July 2022 when it was reportedly engaging in double extortion (ransomware combined with data theft) and had a leak site where it claimed to have stolen 152 GB of data from an electronics repair company in May 2022.
Source: Bleeping computers
If Obsidian’s suspicions are correct, the victim’s identity may be revealed through the data leaks site if they refuse to pay the ransom.
Did we learn anything important?
The main lesson from this attack is the importance of using multi-factor authentication (MFA), especially for highly privileged accounts. While MFA makes it more challenging for attackers to use stolen credentials, it must be foolproof.
Even if the administrative account enabled MFA, the attacker could have obtained or purchased the password from a forum and then conducted MFA push fatigue attacks. Obsidian suggests companies can further enhance their security against these attacks by implementing phishless technologies like WebAuthn.
Source: Yubico
“WebAuthn is an API that makes it very easy for a relying party, such as a web service, to integrate strong authentication into applications using support built into all leading browsers and platforms. This means that web services can now easily offer their users strong authentication with authenticators such as security keys or built-in platform authenticators such as biometric readers.”
Retrospectively
Companies invest significant amounts of money in SaaS to support their business operations, often entrusting regulated, confidential, and sensitive information to these applications. While progress has been made in detecting threats on endpoints, networks, and the cloud, SaaS threat detection is an area many companies are just beginning to address.
The report recommends strengthening SaaS controls, reducing excessive privileges, and revoking unauthorized or high-risk integrations to mitigate risks. It also suggests consolidating and analyzing SaaS audit/activity logs to identify patterns that may indicate a breach, insider threat, or compromised third-party integration.
PureVPN
June 14, 2023
11 months ago
