- Researchers have observed attackers weaponizing OAuth apps
- Attackers gain access that persists even through password changes and MFA
- This isn't just a proof of concept - it's been observed in the wild
Researchers at Proofpoint have discovered a tactic used by threat actors to weaponize OAuth applications in order to gain persistent access within compromised environments - where hackers can retain access even after MFA or a password reset is carried out.
This attack has the potential to be devastating, as an attacker with access to a cloud account could open the door for a series of other intrusions. This account access could then be used to create and authorize internal applications with custom permissions - allowing the access to files, communications, and sidestepping security.
Cybercriminals have increasingly used cloud account takeover (ATO) tactics in recent years - as it allows them to hijack accounts, exfiltrate information, and use this as a foothold for other attacks. Both frequency and severity has increased, with strategies fast evolving.
Persistent access
The researchers have developed a proof of concept to outline how this attack might look in the wild, building a tool that automates the creation of malicious internal applications within the breached cloud environment.
A real-world example was also discovered when experts detected a successful login attempt, which, based on threat intelligence, is likely to be associated with ‘Adversary-in-the-middle’ social engineering attacks.
“After approximately 4 days the user's password was changed, following which we observed failed login attempts from a Nigerian residential IP address, suggesting the threat actor's possible origin,” the researchers explain.
“However, the application remained active. This case study serves as a concrete example of the attack patterns discussed in our blog, demonstrating that these threats are not merely theoretical - but active, exploited risks in the current threat landscape.”
The only way to revoke access in these cases before the expiration of the secret credentials (which remain valid for two years) is by manually removing permissions, so make sure to consistently review and account permissions regularly and continuously monitor applications.
