Threat actors are increasingly including malicious OAuth apps in their campaigns to break into cloud-based systems and applications. To address this growing problem, Microsoft is adding automated attack disruption capabilities to its extended detection and response (XDR) offering that can automatically deactivate malicious OAuth apps.
OAuth (Open Authentication standard) provides automated logins to applications and systems via API tokens. OAuth authentication provides a secure way to authenticate users and protect their data by allowing automated logins to applications and systems via API tokens. OAuth allows users to access multiple accounts without entering credentials each time they log in.
However, they are also being abused. Back in December, Microsoft Threat Intelligence discovered various attacks that compromised user accounts for Microsoft cloud services, allowing them to create, modify, and grant broad privilege access. Attackers were able to retain access to applications even after losing access to the account they initially breached. With that access, the threat actors were able to launch phishing and password-spraying attacks on those user accounts that lacked strong authentication. With elevated permissions, the attackers could launch spam campaigns with the victims’ resources and domain names, or other wise establish persistence within the victim environment.
“Once an OAuth app is given login permission, it can do a lot of things. And if you give permission to a malicious OAuth app, it can log in as you and operate within the system as if it’s you, and stopping that malicious activity is really, really important,” says Sherrod DeGrippo, director of Microsoft’s threat intelligence strategy.
Just last week, the online storage service Dropbox warned that an attacker had accessed customer credentials of its Dropbox Sign service and advised security professionals to rotate their API and OAuth keys and tokens.
Expanding Defender XDR Capabilities
Last year, Microsoft added automatic attack disruption capabilities to Defender XDR (formerly Microsoft 365 Defender) to remediate ransomware, business email compromise (BEC), and attacker-in-the-middle attacks, as well as detect an disrupt brute force attacks that use credential stuffing and password spray methods. Defender XDR now stops many ransomware and BEC attacks within three minutes, DeGrippo says.
The newest capability, which Microsoft is previewing during RSA Conference in San Francisco, Calif. this week, focuses on disrupting attacks against SaaS-based applications using malicious OAuth apps. Defender XDR would automatically disable the compromised OAuth app, thereby shutting the attacker out from further exploitation, Microsoft wrote in a post announcing the feature. “Not only does attack disruption now stop OAuth app attacks, but it can significantly disrupt more scenarios that involve a compromised user such as leaked credentials, stuffing and guessing,” the company said.
Microsoft also added native protection for operational technology (OT) and industrial control systems (ICS) in Defender XDR. According to Microsoft, defenders can now detect and respond to threats across OT systems and analyze the security posture of their industrial control system from the Defender XDR portal.
Because attackers are using AI to accelerate the speed of their attacks, Microsoft officials say AI is necessary to keep pace. According to Forrester Research, the mean time to detect, respond, eradicate and recover from an attack on average is 63 days. And according to a recent analysis by Microsoft, attackers begin lateral movement within an organization within five minutes, while they can complete an entire attack chain within two hours.
“AI is leveraged heavily, not just within our detection capability but also within this disruption capability,” DeGrippo says . “Like everything we do, we want to be faster than a threat actor, and AI is one of those things that absolutely gives you the power of speed.”
https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltac8aaeda40b6417a/64f15224f6f80e09d34fb125/loginwithfacebookgoogletwitter-Richard_Levine-alamy.jpg?disable=upscale&width=1200&height=630&fit=crop
