Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label OAuth. Show all posts

OAuth App Abuse: A Growing Cybersecurity Threat

User data security has grown critical in an era of digital transactions and networked apps. The misuse of OAuth applications is a serious danger that has recently attracted attention in the cybersecurity field.

OAuth (Open Authorization) is a widely used authentication protocol that allows users to grant third-party applications limited access to their resources without exposing their credentials. While this technology streamlines user experiences and enhances efficiency, cybercriminals are finding innovative ways to exploit its vulnerabilities.

Recent reports from security experts shed light on the alarming surge in OAuth application abuse attacks. Money-grubbing cybercriminals increasingly leverage these attacks to compromise user accounts, with potentially devastating consequences. The attackers often weaponize OAuth apps to gain unauthorized access to sensitive information, leading to financial losses and privacy breaches.

One significant event that underscores the severity of this threat is the widespread targeting of Microsoft accounts. Cyber attackers have honed in on the popularity and ubiquity of Microsoft services, using OAuth app abuse as a vector for their malicious activities. This trend poses a serious challenge to both individual users and organizations relying on Microsoft's suite of applications.

According to a report, the attackers exploit vulnerabilities in OAuth applications to manipulate the authorization process. This allows them to masquerade as legitimate users, granting them access to sensitive data and resources. The consequences of such attacks extend beyond financial losses, potentially compromising personal and corporate data integrity.

The financial motivation behind these cybercrimes, emphasizes the lucrative nature of exploiting OAuth vulnerabilities. Criminals are driven by the potential gains from unauthorized access to user accounts, emphasizing the need for heightened vigilance and proactive security measures.

Dark Reading further delves into the evolving tactics of these attackers, emphasizing the need for a comprehensive cybersecurity strategy. Organizations and users must prioritize measures such as multi-factor authentication, continuous monitoring, and regular security updates to mitigate the risks associated with OAuth application abuse.

The increasing misuse of OAuth applications is a turning point in the continuous fight against cyberattacks. The strategies used by cybercriminals also change as technology does. People and institutions must remain knowledgeable, implement strong security procedures, and work together to protect the digital environment from these new dangers. According to the proverb, "An ounce of prevention is worth a pound of cure."

Azure AD 'Log in With Microsoft' Authentication Bypass at Risk


Organizations that have adopted the “Log in with Microsoft” feature to their Microsoft Azure Active Directory setups may be exposed to an authentication bypass, which might lead to account takeovers of online and cloud-based accounts.

Descope researchers have labeled the attack as “nOAuth”. The campaign, according to them is an authentication implementation flaw that affects multitenant OAuth apps in Azure AD, Microsoft's cloud-based identity and access management service. If the attack is successful, the threat actor could then take over their victim’s accounts, enabling them to create persistence, exfiltrate data, determine whether lateral movement is feasible, and other activities.

According to Omer Cohen, CISO at Descope ”OAuth and OpenID Connect are open, popular standards which millions of Web properties already use[…]If 'Log in with Microsoft' is improperly implemented, several of these apps could be vulnerable to account takeover. Small businesses with fewer developer resources could especially be impacted.”

About nOAuth Cyberattack Threat

OAuth is an open source, token-based authorization framework that enables users to log into applications automatically based on prior authentication to another reputable app. Most consumers are already familiar with this thanks to the "Log in with Facebook" or "Log in with Google" choices seen on numerous e-commerce websites.

OAuth is used in the Azure AD environment to control user access to outside resources including Microsoft 365, the Azure portal, and thousands of other SaaS applications that support OAuth apps.

According to Descope analysis "Azure Active Directory also manages internal resources like apps on your corporate intranet and any cloud apps developed by your own organization by providing authentications via OAuth, OIDC, and other standard protocols."

As per an issue of Descope analysis, published this week, the flaw allows malicious actors to do cross-platform spoofing by only needing an unknowing victim's email address to mimic them. The email attribute under "Contact Information" in an Azure AD account can therefore be changed at will to control the email authentication claim by anyone with malicious intent and a reasonable level of platform expertise.

"[This] allows the attacker to use 'Log in with Microsoft' with the email address of any victim they want to impersonate[…]They can take over victims' accounts on any app that uses 'email' claim as the unique identifier for Microsoft OAuth and does not validate that email address, completely bypassing authentication," the researchers noted.

Incorrect Implementation of OAuth

Incorrect implementation of OAuth has apparently turned into a business, urging organizations to shut down this potentially harmful attack vector.

Some recent cases of the attack include vulnerabilities in the authorization system of the Booking.com website. The attack could have allowed attackers to access user accounts and acquire their personal or payment-card data, as well as log in to accounts on the website's sister platform, Kayak.com.

Another case came to highlight when a bug, tracked as CVE-2023-28131 was discovered in the OAuth implementation of Expo, an open-source framework for developing native mobile apps for iOS, Android, and other Web platforms which was apparently utilizing a single codebase. This vulnerability was the reason why online users were at risk, those who logged in to an online service that employs the framework using different social media accounts.

Cohen notes that the OAuth standard and other such standards are reliable and strong authentication approaches. However, organizations must ensure to collaborate with cybersecurity and authentication professionals when adopting them.

"These standards are extremely complicated to work with[…]Authentication isn’t something you can just add on and check a box. Implementing these standards correctly is critical to the security of the application," says Cohen. He adds, "If businesses chose to implement these standards in-house, then they must have regular pen testing and review of the implementation, or they can use an authentication platform that is built by security experts".

Moreover, he emphasized its importance, since threat actors are constantly on a lookout for these types of vulnerabilities.  

More Than 180 OAuth 2.0 Cloud Malware Apps Discovered

 

Researchers issued an alert to companies using cloud apps on Wednesday, revealing that in 2020, they discovered more than 180 different malicious open authorization (OAuth) applications targeting 55 percent of their customers with a 22 percent success rate. 

Although OAuth apps add business functionality and user interface improvements to major cloud platforms like Microsoft 365 and Google Workspace, the Proofpoint researchers said in a blog post that they're also a challenge because bad actors are now using malicious OAuth 2.0 apps or cloud malware to siphon data and access sensitive information. 

According to the researchers, several types of OAuth token phishing attacks and app misuse have been observed – techniques that attackers may use to perform reconnaissance, execute employee-to-employee attacks, and steal files and emails from cloud platforms. Many of the attacks made use of impersonation techniques like homoglyphs and logo or domain impersonation, as well as lures that persuaded people to click on COVID-19-related topics. 

Microsoft implemented a publisher verification system for apps to combat the issue of malicious third-party apps, but the researchers say it has achieved limited success. Bad actors may evade Microsoft's verification process for app publishers, according to Itir Clarke, senior product marketing manager at Proofpoint, by compromising a cloud account and using the legitimate tenant to create, host, and distribute malicious apps.

“Security teams can achieve this by limiting who can publish an app; reviewing the need, scope, and source of applications; and sanitizing the environment by revoking unused applications regularly, he added. Organizations should not only use Microsoft's "verified publisher" policy to protect customers, partners, and suppliers from these attacks, but they should also reduce their attack surface. 

Tim Bach, vice president of engineering at AppOmni stated, “Prioritize tooling that can integrate with existing security stacks so that teams don’t need to create new workflows and commitments to support newly critical SaaS deployments. Utilizing the newly-available automated solutions can free up your team to focus on the strategic shift to the cloud rather than needing to manually track every user and connected application.” 

OAuth device abuse campaigns are usually launched using malicious third-party software, according to Krishnan Subramanian, a security research engineer with Menlo Security. Microsoft Cloud App Security has a comprehensive page controlling permissions for third-party OAuth Applications for more details on how to query/audit third-party apps and organizations can also create social engineering training scenarios to create awareness amongst users about this specific type of attack, he added.

Another piece of advice for security professionals: The MITRE ATT&CK Framework technique T1550.001 details how threat groups have exploited OAuth application tokens in the past and lists mitigations against this particular technique.