Obsidian, a cybersecurity company specializing in threat detection and SaaS management, has released details of a recent SaaS ransomware attack observed by their Threat Research team. The attack targeted a company's Sharepoint Online (Microsoft 365) without compromising any endpoints. Obsidian's team and product were utilized post-compromise to gain insights into the attack.
Unlike previous attacks where Sharepoint instances were ransomed through encrypted files on compromised user machines or mapped drives, this attack took a different approach. In this blog post, Obsidian outlines the attack's specifics and provides detection methodologies and indicators of compromise (IOCs) to assist the wider community, with certain details redacted for privacy reasons.
The attack began with the compromise of a Microsoft Global admin service account, which did not have multi-factor authentication (MFA) enabled and could be leveraged from the public internet. The compromised account created a new AD user called 0mega, granting it elevated permissions as a Global Administrator, SharePoint Administrator, Exchange Administrator, and Teams Administrator. Over 200 admin removal operations were conducted within a two-hour period, removing existing administrators.
The attackers exfiltrated hundreds of files using a publicly available Node.js module called sppull, and they uploaded thousands of PREVENT-LEAKAGE.txt files to Sharepoint using the got library for simplifying HTTP requests. The attackers also set up websites, 0mega-connect[.]biz and <redacted>.onion, for impacted companies to negotiate ransom payments and avoid the publication of breached details or files.
The incident serves as a reminder that SaaS threat detection is an important aspect of overall cybersecurity. Obsidian encourages organizations to take proactive risk management measures, such as strengthening SaaS controls and revoking unsanctioned or high-risk integrations. Robust threat response involves consolidating and analyzing SaaS audit logs to detect patterns indicative of breaches, insider threats, or compromised third-party integrations.
###