- Researchers have observed that attackers use OAuth applications as weapons
- Attackers gain access that persists even across password and MFA changes
- This is not just a proof of concept: it has been observed in nature.
Proofpoint researchers have discovered a tactic used by threat actors to weaponize OAuth applications to gain persistent access within compromised environments, where hackers can retain access even after MFA or a password reset is performed.
This attack has the potential to be devastating, as an attacker with access to a cloud account could open the door to a series of other intrusions. This account access could be used to create and authorize internal applications with custom permissions, allowing access to files, communications, and bypassing security.
In recent years, cybercriminals have increasingly used cloud account takeover (ATO) tactics, allowing them to hijack accounts, exfiltrate information, and use it as a foothold for other attacks. Both frequency and severity have increased and strategies are evolving rapidly.
Persistent access
Researchers have developed a proof of concept to describe what this attack could look like in the wild, creating a tool that automates the creation of malicious internal applications within the breached cloud environment.
A real-world example was also discovered when experts detected a successful login attempt that, according to threat intelligence, is likely associated with “Adversary in the Middle” social engineering attacks.
“After approximately 4 days, the user’s password was changed, after which we observed failed login attempts from a Nigerian residential IP address, suggesting the possible origin of the threat actor,” the researchers explain.
“However, the application remained active. This case study serves as a concrete example of the attack patterns discussed in our blog, demonstrating that these threats are not merely theoretical, but rather active and exploited risks in the current threat landscape.”
The only way to revoke access in these cases before the secret credentials expire (which remain valid for two years) is to manually remove permissions, so be sure to constantly review and account for permissions and monitor applications on an ongoing basis.
The best antivirus for all budgets
