Researchers Report First Instance of Automated SaaS Ransomware Extortion

vtqhtr413

Level 27
Thread author
Well-known
Aug 17, 2017
1,609
The 0mega ransomware group has successfully pulled off an extortion attack against a company's SharePoint Online environment without needing to use a compromised endpoint, which is how these attacks usually unfold. Instead, the threat group appears to have used a weakly secured administrator account to infiltrate the unnamed company's environment, elevate permissions, and eventually exfiltrate sensitive data from the victim's SharePoint libraries. The data was used to extort the victim to pay a ransom.

The attack merits attention because most enterprise efforts to address the ransomware threat tend to focus on endpoint protection mechanisms, says Glenn Chisholm, cofounder and CPO at Obsidian, the security firm that discovered the attack. "Companies have been trying to prevent or mitigate ransomware-group attacks entirely through endpoint security investments," Chisholm says. "This attack shows that endpoint security isn't enough, as many companies are now storing and accessing data in SaaS applications."

The attack that Obsidian observed began with an 0mega group actor obtaining a poorly secured service account credential belonging to one of the victim organization's Microsoft Global administrators. Not only was the breached account accessible from the public Internet, it also did not have multi-factor authentication (MFA) enabled — something that most security experts agree is a basic security necessity, especially for privileged accounts.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top