OAuth has two main purposes on the web right now. Often, it is used to create an account and log in to an online service. OAuth 2.0 is an authorization framework that allows applications to gain limited access to user accounts of specific services, such as Facebook, Google, Twitter, and GitHub. Its function is to delegate user authentication authority to the service that manages these accounts so that the service provides access to third-party applications. An example is when we use bank codes to arrange to access a social service online.
OAuth is an open standard that enables secure authorization using an API. It is currently in use since October 2012, in the OAuth 2.0 version, where its main improvements are that it now provides authorization flows for web, desktop, and mobile applications. Currently, services like Google, Facebook, Azure Active Directory, and Github only support OAuth 2.0 protocol.
Another example, you might give a third-party app access to only your Gmail emails but restrict it from doing anything else with your Google Account. This differs from simply providing a third-party app with your account password and letting it sign in. Apps are limited in what they can do, and this unique access token means account access can be revoked anytime without changing your master password or having access revoked by other apps.
However, given the full license these applications can have in a company’s core cloud applications, they have become an increasing attack surface and attack vehicle. Cybercriminals use a variety of methods to compromise OAuth applications.
Microsoft Exchange servers compromised via OAuth
The latest news is from Microsoft that a threat actor gained access to cloud tenants hosting Microsoft Exchange servers in credential stuffing attacks, with the ultimate goal of deploying malicious OAuth applications and sending phishing emails.
The unauthorized access to the cloud tenant allowed the hacker to create a malicious OAuth application that added a malicious inbound connection to the email server. The attacker then used this inbound connector and transport rules designed to help avoid detection to deliver phishing emails through compromised Microsoft Exchange servers.
The attacker sent large volumes of spam emails within short time frames through other means, such as connecting to mail servers from rogue IP addresses or sending directly from legitimate cloud-based bulk email infrastructure.
According to the Microsoft 365 Defender research team, the hacker’s motivation was to spread deceptive sweepstakes spam messages designed to trick recipients into providing credit card information and signing up for recurring subscriptions under the guise of winning a valuable prize.
The nature of the attack was fascinating as it did not involve any malware, and there were no security breach threats that were undetected.
Hackers access GitHub accounts via fake CircleCI alerts
CircleCI also posted a notice on its forums to raise awareness of the malicious campaign, explaining that the platform would never ask users to enter credentials to view changes to its terms of service. Of the official CircleCI (circleci.com). So far, the following have been confirmed:
emails-circleci.com
circle-cl.com
circle-ci.com
email-circleci.com
After obtaining valid account credentials, threat actors generate Personal Access Tokens (PATs), authorize OAuth applications, and sometimes add SSH keys to the account to persist even after a password reset.
GitHub reports that it saw content pulled from private repositories immediately after the breach. Threat actors use VPNs or proxies to make it harder to track them. If the compromised account has organization administrator rights, hackers create new user accounts and add them to the organization to maintain their presence.
Breach dozens of orgs using stolen OAuth tokens
Regarding GitHub, it is worth mentioning that since this campaign was first discovered on April 12, 2022, the threat actor has already accessed and stolen data from dozens of victim organizations using OAuth applications maintained by Heroku and Travis-CI, including npm.
The impact on the npm organization includes unauthorized access to private GitHub.com repositories and “potential access” to npm packages in AWS S3 storage.
GitHub was forced to contact respective teams from Heroku and Travis-CI to request that they begin their security investigations, revoke all OAuth user tokens associated with the affected apps, and begin notifying their users.