Obsidian, a security firm, has uncovered an unprecedented case of automated SaaS ransomware extortion.
The 0mega ransomware group successfully attacked a company’s SharePoint Online environment without compromising an endpoint, which is the typical approach in such attacks.
This incident sheds light on the increasing interest among threat actors in targeting data from software-as-a-service providers.
Key Takeaways of the Automated SaaS Ransomware Extortion:
Table of Contents
- The 0mega ransomware group conducted an automated SaaS ransomware attack, infiltrating a company’s SharePoint Online environment without compromising an endpoint.
- This attack demonstrates the need for enhanced security measures beyond endpoint protection, as organizations increasingly rely on SaaS applications for data storage and access.
- Growing attacker interest in SaaS environments is driven by the lack of equivalent security controls compared to endpoints, making proactive risk management and robust controls crucial.
Attack Highlights Shift in Ransomware Tactics
Glenn Chisholm, co-founder and CPO at Obsidian emphasizes that most enterprise efforts to combat ransomware have focused on endpoint protection.
However, this attack demonstrates the insufficiency of endpoint security measures, as companies increasingly store and access data through SaaS applications.
The incident serves as a wake-up call to the necessity of securing SaaS environments effectively.
Compromised Credentials Enable Extensive Access
The 0mega group gained access to the victim organization’s Microsoft Global administrator account, which was poorly secured and lacked multi-factor authentication (MFA).
With this compromised account, the threat actor created a new Active Directory user named “0mega” and assigned it multiple privileges, including Global Admin, SharePoint Admin, Exchange Admin, and Teams Administrator.
Furthermore, the attacker granted the 0mega account site collection administrator capabilities, removing all other administrators within the SharePoint Online environment.
Exfiltration and Exploitation Techniques
Using the elevated privileges, the threat actor exfiltrated hundreds of files from the victim’s SharePoint Online libraries.
The data was sent to a virtual private server (VPS) host associated with a Russian web hosting company. The attacker employed a publicly available Node.js module called “sppull” to interact with SharePoint resources and facilitate the exfiltration.
Subsequently, using the “got” module, thousands of text files were uploaded back to the victim’s SharePoint environment, informing the organization of the attack.
Growing Threat Landscape for SaaS Environments
Obsidian has observed a surge in attacks targeting enterprise SaaS environments in the last six months, surpassing the number of attacks in the previous two years combined.
The interest from threat actors is driven by organizations increasingly storing regulated and sensitive information in SaaS applications without implementing adequate controls. The lack of equivalent security measures compared to endpoints makes SaaS environments an attractive target for attackers.
Lack of Controls and Proactive Risk Management
According to AppOmni, there has been a 300% increase in SaaS attacks since March 2023, particularly targeting Salesforce Community Sites and other SaaS applications.
Common attack vectors include excessive guest user permissions, inadequate MFA implementation, overprivileged access to sensitive data, and improper object and field permissions.
A study conducted by Odaseva revealed that 51% of ransomware attacks in the previous year targeted SaaS data. Organizations must prioritize proactive risk management and implement robust controls across their entire SaaS environment to mitigate these threats effectively.
Conclusion
The emergence of automated SaaS ransomware extortion signifies a shift in the tactics employed by threat actors. Organizations must recognize the importance of securing their SaaS environments, implementing adequate controls, and adopting proactive risk management strategies. The incident serves as a wake-up call for enterprises to prioritize the protection of their SaaS applications and data, alongside traditional endpoint security measures.
