- Researchers have noticed how attackers are using OAuth applications as weapons
- Attackers gain access that remains even after changing the password and MFA.
- This isn't just a proof of concept—it's been seen in the wild.
Researchers from Proof discovered a tactic used by attackers to weaponize OAuth applications to gain persistent access in compromised environments, where hackers can retain access even after performing MFA or password resets.
This attack could be devastating as an attacker with access to a cloud account could open the door to a number of other intrusions. Access to this account can then be used to create and authorize internal applications with custom permissions, allowing access to files, messages and bypass security.
Cybercriminals are increasingly using cloud account takeover (ATO) This is a tactic in recent years because it allows them to take over accounts, siphon off information, and use it as a springboard for other attacks. Both frequency and severity have increased, and strategies are rapidly evolving.
Permanent access
The researchers developed a proof of concept to show what this attack might look like in the real world, creating a tool that automates the creation of malicious internal applications in a compromised cloud environment.
A real-life example was also uncovered where experts detected a successful login attempt that threat data suggests would most likely be associated with Man-in-the-Middle social engineering attacks.
“About 4 days later, the user's password was changed, after which we observed unsuccessful login attempts from a home IP address in Nigeria, indicating a possible origin of the attacker,” the researchers explain.
“However, the application remained active. This case study provides a concrete example of the attack patterns discussed in our blog, demonstrating that these threats are not just theoretical, but active, exploitable risks in the current threat landscape.”
The only way to revoke access in these cases before the secret credentials (which remain valid for two years) expire is to manually remove permissions, so be sure to regularly review permissions and accounts and continually monitor applications.
The best antivirus for any budget
