0mega ransomware gang changes tactics

2023-06-07 14:33

A number of ransomware gangs have stopped using malware to encrypt targets' files and have switched to a data theft/extortion approach to get paid; 0mega - a low-profile and seemingly not very active threat actor - seems to be among them.

Evidence of its activities were first spotted roughly a year ago, when one victim - a UK-based electronics repair and refurbishment company - apparently refused to pay and the gang leaked company data on its dedicated leak site.

Obsidian Security's threat research team has been called in to help tease out the details of an attack that resulted in data theft from an unnamed company's Sharepoint Online assets, and they believe the threat actor behind the attack is 0mega.

The attackers first compromised one of the company's Microsoft Global admin service accounts that did not have multi-factor authentication enabled, then used it to create a new Microsoft AD user called 0mega and added various permissions to it.

"The compromised service account granted the 0mega account site collection administrator capabilities to multiple SharePoint sites and collections, while also removing existing administrators. Over 200 admin removal operations occurred within a 2-hour period," the team shared.

"Suggest the known 0mega operators performed this operation," and have released indicators of compromise to help other organizations stymie potential attacks.

News URL

https://www.helpnetsecurity.com/2023/06/07/0mega-ransomware-gang-changes-tactics/

#ransomware