Top
Home / Cyber
Cyber, Cyber Security

Hackers using OAuth malware to hijack email servers

By

OAuth has two main purposes on the web right now. Often, it is used to create an account and log in to an online service. OAuth 2.0 is an authorization framework that allows applications to gain limited access to user accounts of specific services, such as Facebook, Google, Twitter, and GitHub. Its function is to delegate user authentication authority to the service that manages these accounts so that the service provides access to third-party applications. An example is when we use bank codes to arrange to access a social service online.

OAuth is an open standard that enables secure authorization using an API. It is currently in use since October 2012, in the OAuth 2.0 version, where its main improvements are that it now provides authorization flows for web, desktop, and mobile applications. Currently, services like Google, Facebook, Azure Active Directory, and Github only support OAuth 2.0 protocol.

Another example, you might give a third-party app access to only your Gmail emails but restrict it from doing anything else with your Google Account. This differs from simply providing a third-party app with your account password and letting it sign in. Apps are limited in what they can do, and this unique access token means account access can be revoked anytime without changing your master password or having access revoked by other apps.

However, given the full license these applications can have in a company’s core cloud applications, they have become an increasing attack surface and attack vehicle. Cybercriminals use a variety of methods to compromise OAuth applications.

Microsoft Exchange servers compromised via OAuth

The latest news is from Microsoft that a threat actor gained access to cloud tenants hosting Microsoft Exchange servers in credential stuffing attacks, with the ultimate goal of deploying malicious OAuth applications and sending phishing emails.

The unauthorized access to the cloud tenant allowed the hacker to create a malicious OAuth application that added a malicious inbound connection to the email server. The attacker then used this inbound connector and transport rules designed to help avoid detection to deliver phishing emails through compromised Microsoft Exchange servers.

OAuth malware
Microsoft Excange Servers hacked via OAuth app

The attacker sent large volumes of spam emails within short time frames through other means, such as connecting to mail servers from rogue IP addresses or sending directly from legitimate cloud-based bulk email infrastructure.

According to the Microsoft 365 Defender research team, the hacker’s motivation was to spread deceptive sweepstakes spam messages designed to trick recipients into providing credit card information and signing up for recurring subscriptions under the guise of winning a valuable prize.

The nature of the attack was fascinating as it did not involve any malware, and there were no security breach threats that were undetected.

Hackers access GitHub accounts via fake CircleCI alerts

CircleCI also posted a notice on its forums to raise awareness of the malicious campaign, explaining that the platform would never ask users to enter credentials to view changes to its terms of service. Of the official CircleCI (circleci.com). So far, the following have been confirmed:

emails-circleci.com

circle-cl.com

circle-ci.com

email-circleci.com

After obtaining valid account credentials, threat actors generate Personal Access Tokens (PATs), authorize OAuth applications, and sometimes add SSH keys to the account to persist even after a password reset.

GitHub reports that it saw content pulled from private repositories immediately after the breach. Threat actors use VPNs or proxies to make it harder to track them. If the compromised account has organization administrator rights, hackers create new user accounts and add them to the organization to maintain their presence.

Breach dozens of orgs using stolen OAuth tokens

Regarding GitHub, it is worth mentioning that since this campaign was first discovered on April 12, 2022, the threat actor has already accessed and stolen data from dozens of victim organizations using OAuth applications maintained by Heroku and Travis-CI, including npm.

The impact on the npm organization includes unauthorized access to private GitHub.com repositories and “potential access” to npm packages in AWS S3 storage.

GitHub was forced to contact respective teams from Heroku and Travis-CI to request that they begin their security investigations, revoke all OAuth user tokens associated with the affected apps, and begin notifying their users.

Tags: , ,
0

RELATED POSTS

Cyber Security, Featured

Swipe, double-tap, swipe. It's the digital world we've all become involved in the captivating reels of Instagram. As our fingers swipe over and over on phone displays, we increasingly share and see more than ever before. But have you ever

Featured, Smart Corner

ChatGPT, Deepfakes, and more sophisticated phishing scams are the biggest dangers for companies, which must learn to master AI to defeat it.  With ChatGPT4, the world has discovered the potential of generative artificial intelligence, a technology destined to change the tech sector and

Cyber Security, Featured

Meet the Head of Application Security at Emarsys in Hungary, SAP's customer engagement platform. István Szénási is responsible for the secure development and operation of their SaaS product; he brings expertise in vulnerability management, incident response, and security awareness. Additionally, he advises

4i magazine was founded with the vision of enabling our readers to make sense of the modern world. Our mission is to provide our audience with the most important, cutting-edge tech news and insights. Today's media landscape features too much information and not enough knowledge. Our coverage aims to fix that, by focusing the spotlight on developing trends, up-and-coming talents, and news that's worth your attention.

info@4imag.com
jobs@4imag.com

© Copyright 4i Mag 2022 All Rights Reserved