A group of cybercriminals has successfully carried out a ransomware attack without compromising an endpoint, according to Obsidian Security. Most enterprises focus on endpoint security mechanisms to address ransomware threats; however, the 0mega ransomware group managed to infiltrate a company’s SharePoint Online environment by obtaining a weakly secured service account belonging to one of the victim organization’s Microsoft Global administrators. The account could be accessed from the public internet and did not have multi-factor authentication (MFA) enabled. The threat actor then created an Active Directory user account called “0mega” and granted it global admin, SharePoint admin, and Exchange admin permissions, among others. The attacker subsequently used the credential to gain site collection administrator capabilities within the victim’s SharePoint Online environment and remove all other existing administrators.
The vulnerability shows that endpoint security alone often isn’t enough to keep an organization secure, especially for accessing and storing data in Software-as-a-Service (SaaS) applications. The attack was carried out without compromising an endpoint or using a ransomware executable, showing that organizations need to broaden their security approach to cover all endpoints, including SaaS. The threat actors extracted hundreds of files from the SharePoint libraries of the victim company and sent them to a Virtual Private Server (VPS) host in Russia. This was done using the publicly available node.js module called “sppull,” which helps developers interact with SharePoint resources using HTTP requests.
Once the exfiltration was complete, the attackers used another node.js module called “got” to upload thousands of text files to the company’s SharePoint environment, informing the victim company of the breach. Obsidian Security said it observed more attacks targeting enterprise SaaS environments in the past six months than the previous two years combined. Attackers are drawn to target SaaS environments as organizations are increasingly using them to store confidential and regulated information without implementing adequate endpoint security controls.
AppOmni has reported a 300% increase in SaaS attacks since March 2023, with the primary attack vectors being excessive guest user permissions, excessive object and field permissions, lack of MFA, and overprivileged access to sensitive data. A study by Odaseva found that 48% of respondents reported their organization had experienced a ransomware attack in the past year, with SaaS data being the target in over half (51%) of the attacks.
Organizations need to be proactive in managing their SaaS environment and ensure that the necessary controls and risk management tools are in place to minimize the impact of ransomware attacks. This is particularly necessary given that the threat actors are constantly evolving their techniques, as demonstrated by the 0mega ransomware group. It is critical to implement stringent security measures, including strong passwords, multi-factor authentication, and encryption to mitigate the risk of a ransomware attack or data breach.