- Researchers have observed attackers weaponizing OAuth apps
- Attackers gain access that persists even through password changes and MFA
- This is not just a proof of concept – it has been observed in nature
Researchers at Proofpoint have discovered a tactic used by threat actors to weaponize OAuth applications to gain persistent access in compromised environments – where hackers can maintain access even after MFA or a password reset is performed.
This attack has the potential to be devastating, as an attacker with access to a cloud account can open the door to a number of other intrusions. This account access could then be used to create and authorize internal applications with customized permissions – allowing access to files, communications and bypassing security.
Cybercriminals have increasingly used cloud account takeover (ATO) tactics in recent years – as it allows them to hijack accounts, wipe out information and use this as a foothold for other attacks. Both frequency and difficulty have increased, and strategies are evolving rapidly.
Persistent access
The researchers have developed a proof of concept to outline what this attack might look like in the wild, building a tool that automates the creation of malicious internal applications in the breached cloud environment.
A real-world example was also discovered when experts discovered a successful login attempt which, based on threat intelligence, is likely to be associated with ‘Adversary-in-the-Middle’ social engineering attacks.
“After approximately 4 days, the user’s password was changed, after which we observed failed login attempts from a Nigerian residential IP address, suggesting the possible origin of the threat actor,” the researchers explain.
“However, the application remained active. This case study serves as a concrete example of the attack patterns discussed in our blog and shows that these threats are not just theoretical – but active, exploited risks in the current threat landscape.”
The only way to revoke access in these cases before the expiration of the secret credentials (which remain valid for two years) is to manually remove permissions, so be sure to consistently review and account permissions regularly and continuously monitor applications.
The best antivirus for all budgets
