Microsoft Warns of OAuth Attacks Tied to Cryptomining

This abuse of OAuth enhances the ability of adversaries to maintain access to applications, persisting even in situations in which the originally compromised account is no longer available.

Single sign-on standard OAuth or Open Authorization is a protocol for token-centric authentication and authorization that empowers applications to acquire access to data and resources based on permissions defined by the user (see: Warning: Careless OAuth Implementation Puts Billions at Risk).

The Microsoft Threat Intelligence team observed that the cyberthreat actors executed phishing and password-spraying attacks, targeting user accounts that lacked authentication safeguards and possessed the authority to create or modify OAuth applications.

“The threat actors misused the OAuth applications with high privilege permissions to deploy virtual machines for cryptocurrency mining, establish persistence following business email compromise, and launch spamming activity using the targeted organization’s resources and domain name,” the researchers said.

They spotted threat actor Storm-1283 exploiting a compromised user account to execute a cryptomining operation. It used the compromised account to sign in through a virtual private network, creating a new single-tenant OAuth application within Microsoft Entra ID.

The Redmond giant said that this application bore a striking resemblance to the Microsoft Entra ID tenant domain name, camouflaging its malicious intent. To enhance its functionality, a set of secrets was discreetly added to the application, the researchers said.

The compromised account’s ownership role on an Azure subscription also helped Storm-1283 gain further access. The threat actor, using the account’s privileges, granted “Contributor” role permissions to the application, empowering it to access and manipulate one of the active subscriptions.

Hackers then capitalized on pre-existing line-of-business OAuth applications accessible to the compromised user account within the tenant. They achieved this by introducing an additional set of credentials to augment the capabilities of these applications.

The actor deployed a limited number of virtual machines within the same compromised subscriptions, initiating the cryptomining operations using one of the existing applications. Subsequently, the actor revisited the scene and deployed additional VMs using the newly created application.

“Targeted organizations incurred compute fees ranging from 10,000 to 1.5 million USD from the attacks, depending on the actor’s activity and duration of the attack,” Microsoft said.

Storm-1283 aimed to prolong the configuration for an extended duration to enhance the likelihood of successful cryptomining operations. To mitigate suspicion, the actor strategically employed a specific naming convention for the virtual machines, utilizing [DOMAINNAME][ZONENAME][1-9], a format comprising the tenant name followed by the region name.

Microsoft said it recognized the behavior of this actor by monitoring VM creation in Azure Resource Manager audit logs and looking for the activity “Microsoft.Compute/virtualMachines/write” performed by an OAuth application. While the naming convention used by the actor may change in time, it may still include the domain name or region names such as “east|west|south|north|central|japan|france|australia|canada|korea|uk|poland|brazil,” the researchers said.

Microsoft said it had detected this activity and collaborated with the Microsoft Entra team to neutralize the OAuth applications implicated in this attack. The company also said that it had notified affected organizations about this malicious activity and provided recommendations for further actions to safeguard their digital infrastructure.

Microsoft also detailed how threat actors had compromised user accounts and misused OAuth applications for their financially driven attacks, and it outlined recommendations for organizations to mitigate such attacks.

The company also provided detailed information on how Microsoft detects related activity for OAuth applications for BEC and phishing and for spamming activity, mitigation steps, detections for related techniques, and threat hunting guidance.