In a recent security incident, cybersecurity firm Obsidian uncovered a targeted SaaS ransomware attack on Sharepoint Online (Microsoft 365) through a compromised Microsoft Global SaaS admin account. Unlike typical ransomware attacks that focus on encryption, this attack aimed at data theft. This blog post delves into the attack details, highlights the emerging trend of data theft, and provides recommendations to enhance SaaS security measures.
The Attack Scenario:
Obsidian's analysis revealed that the attacker, believed to be the group known as 0mega, gained access to the victim's environment and rapidly escalated privileges. By creating a new Active Directory (AD) user named "Omega" with elevated privileges, including Global Administrator, SharePoint Administrator, Exchange Administrator, and Teams Administrator roles, the attacker gained significant control over multiple SharePoint sites and collections. Within just two hours, the attacker removed over 200 existing administrators.
Shifting Focus to Data Theft:
Rather than encrypting the files, the attacker chose to exfiltrate a large number of files and uploaded several PREVENT-LEAKAGE.txt files. This strategy aimed to notify the victim of the data theft and create a channel for negotiation, pressuring them to pay a ransom to prevent public exposure of the stolen information.
The Emerging Trend:
Security experts predict a rise in similar attacks due to the prevalence of weak SaaS security programs compared to endpoint security measures. By focusing on data theft rather than encryption, attackers can avoid the reputation damage associated with failed decryption attempts. This approach is more manageable to execute and can be automated, indicating a potential shift in attacker strategies.
The Omega Group and Possible Victim Identification:
Based on the account name, identifiable patterns, and infrastructure used, security researchers suspect the involvement of the Omega group in this attack. The group gained notoriety in July 2022 for employing double extortion tactics and operating a leaks site that showcased 152 GB of data stolen from an electronics repair company in May 2022. If the victim refuses to pay the ransom, their identity may be exposed through the leaks site.
Mitigating Risks with Zero Trust Multi-Factor Authentication and WebAuthn:
Obsidian emphasizes the critical importance of multi-factor authentication (MFA) as a crucial security measure, particularly for highly privileged accounts. While MFA adds an extra layer of protection against stolen credentials, it is not foolproof. Attackers can still acquire or purchase passwords on forums and execute MFA push fatigue attacks. To further strengthen SaaS environments, companies should explore phishless technologies like WebAuthn.
Securing SaaS Environments:
Given the substantial investments in SaaS applications and the sensitive information they contain, companies must prioritize SaaS threat detection. At Armoryze, we understand the crucial need for robust SaaS security. To safeguard your valuable data, we recommend implementing the following measures:
While companies invest significant resources in SaaS applications, SaaS threat detection remains an area that requires further attention. The recent Sharepoint Online ransomware attack serves as a reminder to reinforce SaaS security measures, including MFA, hardening controls, and active monitoring and analysis of SaaS activity logs. By adopting these practices, organizations can better protect their regulated, confidential, and sensitive information from emerging SaaS threats.
The recent Sharepoint Online ransomware attack highlights the need for organizations to prioritize SaaS security measures. By focusing on data theft instead of encryption, attackers can evade failed decryption attempts and reputation damage. To mitigate these risks, it is essential to implement robust security practices, including multi-factor authentication, hardening controls, and continuous monitoring of SaaS activity logs. Additionally, considering a zero-trust security approach can further enhance SaaS security and protect sensitive information. Armoryze is here to support you in strengthening your SaaS security and safeguarding your valuable data. Contact us today for a complimentary consultation.