Security News

Cloud-based repository hosting service GitHub on Friday revealed that it discovered evidence of an unnamed adversary capitalizing on stolen OAuth user tokens to unauthorizedly download private data from several organizations. "An attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including NPM," GitHub's Mike Hanley disclosed in a report.

GitHub revealed today that an attacker is using stolen OAuth user tokens to download data from private repositories. "The applications maintained by these integrators were used by GitHub users, including GitHub itself," revealed today Mike Hanley, Chief Security Officer at GitHub.

Threat analysts have observed a new campaign named 'OiVaVoii', targeting company executives and general managers with malicious OAuth apps and custom phishing lures sent from hijacked Office 365 accounts. OAuth is a standard for token-based authentication and authorization, removing the need to enter account passwords.

These attacks can lead to the bypassing of phishing detection and email security solutions, and at the same time, gives phishing URLs a false snse of legitimacy to victims. "The attacks use dozens of distinct Microsoft 365 third-party applications with malicious redirect URLs defined for them," explains Proofpoint's report.

Microsoft has warned of an increasing number of consent phishing attacks targeting remote workers during recent months, BleepingComputer has learned. Consent phishing is an application-based attack variant where the attackers attempt to trick targets into providing malicious Office 365 OAuth apps with access to their Office 365 accounts.

Office 365 users are receiving emails purporting to come from cryptocurrency platform Coinbase, which ask them to download updated Terms of Service via an OAuth consent app. Here, attackers are betting that they are targeting Office 365 users who are also Coinbase users, researchers said.

A new phishing campaign uses a Coinbase-themed email to install an Office 365 consent app that gives attackers access to a victim's email. Over the past year, hackers have increasingly used Microsoft Office 365 OAuth apps, otherwise known as consent apps, as part of their attacks.

According to researchers from Proofpoint, targets receive a well-crafted lures asking them to click a link which carries them to the legitimate Microsoft third-party apps consent page. "The ability to perform reconnaissance on an O365 account supplies an actor with valuable information that can later be weaponized in business email compromise attacks or account takeoversThe minimal [read-only] permissions requested by these apps also likely help them appear inconspicuous if an organization's O365 administrator audits connected apps for their users' accounts."

Against the backdrop of widespread remote working and the increased use of collaboration apps, attackers are ramping up application-based attacks that exploit OAuth 2.0, Microsoft is warning. An offensive starts when an attacker registers a malicious app with an OAuth 2.0 provider, such as Microsoft's own Azure Active Directory.

The Microsoft applications are vulnerable to an OAuth authentication flaw that could enable Azure account takeover.