Cybersecurity firm Obsidian has discovered a successful ransomware attack targeting Sharepoint Online (Microsoft 365) through a Microsoft Global SaaS admin account, deviating from the typical compromised endpoint approach.
The attack involved the creation of a new Active Directory user with elevated privileges and the removal of existing administrators. Rather than encrypting the stolen files, the attacker focused on data theft and uploaded files as a means of communication and extortion.
Obsidian anticipates an increase in such attacks, emphasizing the need for robust SaaS security programs and the implementation of multi-factor authentication (MFA).
Obsidian believes the attack was orchestrated by the Omega group, recognizable through various indicators and infrastructure. Omega gained attention in July 2022 for employing double extortion techniques and claiming responsibility for a data breach in May 2022.
If Omega is indeed responsible, the victim’s identity may be revealed if they refuse to pay the ransom and the data is published on Omega’s leaks site.
The attack highlights the importance of using MFA, especially for highly privileged accounts, as attackers can obtain credentials through various means. While MFA makes the use of stolen credentials more difficult, it is not foolproof.
Obsidian suggests further fortifying environments against such attacks, including the adoption of phishless technologies like WebAuthn.
The report emphasizes the significance of SaaS threat detection, as companies invest substantial resources into SaaS applications that hold regulated and sensitive information, and recommends strengthening SaaS controls, limiting excessive privileges, and analyzing audit/activity logs to identify potential breaches, insider threats, or compromised integrations.
