SaaS Ransomware, as highlighted by British cybersecurity enterprise Obsidian, is indeed evolving. They have seen a new ransomware attack on SharePoint Online that was strangely carried out using a Microsoft Global SaaS admin account. This technique clearly veers apart from the usual strategy of attacking hacked endpoints, revealing an important change in the cyber threat environment.
The victim headed right to the product and development team at Obsidian following the compromise to ask for their help. The goal was to thoroughly examine the attack’s details and deal with any consequences. Obsidian made the decision to conceal the victim’s identify while explaining the incident in its blog post.
The cybersecurity company asserts that the hack was most likely planned by the covert group known as 0mega.
According to Glenn Chisholm, co-founder and CPO at Obsidian:
Companies have been trying to prevent or mitigate ransomware-group attacks entirely through endpoint security investments. This attack shows that endpoint security isn’t enough, as many companies are now storing and accessing data in SaaS applications.
Ransomware Threat Affecting SaaS Platforms
Obsidian noted that the attack began with an associate of the 0mega group obtaining login information from a service account that wasn’t appropriately protected. It’s interesting to note that this account belonged to a Microsoft Global administrator for the affected company.
This hacked account was not only reachable over a public internet connection, but it also missed the multi-factor authentication (MFA) that is a must for security. MFA is recognised by NCSC as being essential for all accounts, especially privileged ones, and is endorsed as such by a large majority of them.
Once inside, the intrusive party started the process of creating a new Active Directory (AD). High-level powers, such as Global Administrator, SharePoint Administrator, Exchange Administrator, and Teams Administrator, were granted to this new organisation.
The intruder also granted site collection administrator privileges to several SharePoint sites and collections. More than 200 administrators had their responsibilities removed by the attacker in under two hours, securing their authority over the compromised system.
The primary goal of the SaaS attack was to steal data. After extracting hundreds of files, the intruder went on to flood the system with thousands of PREVENT-LEAKAGE.txt files.
This well-planned action had two purposes: first, it informed the unaware victim about the stolen data, and second, it opened a line of contact with the attacker. The main goal was to make a settlement deal with the victim to prevent the potential internet disclosure of the stolen information.
Obsidian’s investigation revealed that the 0mega threat actors used the stolen admin credentials to delete 200 administrator accounts in two hours.
A “site collection” in the context of SharePoint is a group of websites that are a part of the same web application and have common administrative settings and ownership. Larger companies with various business activities and departments coexisting often have these site groupings. Like how individuals do, businesses that manage large data sets commonly use site collections to efficiently manage their data.
The attacker’s intention of creating automation specifically for this kind of attack suggests an advantage for adopting this approach in other circumstances. The focus on data theft alone, rather than the combination of theft and encryption, is a growing trend.
It is becoming increasingly common to rely entirely on data theft, avoiding the more traditional stealing route that is followed by encryption. This tactical move not only avoids potential damage to the attacker’s reputation from failed decryption procedures, but it also simplifies the administrative processes, making it a simpler path to follow.
0mega gained popularity in July 2022 as a result of a research investigation that exposed their use of double extortion strategies. In addition, a breaches website claimed that 0mega had stolen 152 GB of data from an electronics repair business in May 2022.
Multi-Factor Authentication (MFA) is important and should be used as a first and main protection. All accounts should ideally have it, but those with higher rights must pay particular attention to it. It must be kept in mind that threat actors can get credentials using a variety of techniques, including self-conducted phishing attacks, guessing, purchasing them from dark web databases, or purchasing them from criminal access brokers.
Successful ransomware attacks are most-often preceded by phishing emails. Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.