Automated SaaS Ransomware Extortion: A New Era of Cyber Threats

The Rise of SaaS Attacks: The Automated Extortion of 0mega Ransomware Group

The Attack

The 0mega ransomware group has recently targeted an unnamed company’s SharePoint Online environment, successfully exfiltrating sensitive data and extorting a ransom without needing to compromise an endpoint. Instead, the threat group used a weakly secured administrator account to infiltrate the company’s environment and elevate permissions. This attack is significant because most enterprise efforts to address the ransomware threat tend to focus on endpoint protection mechanisms. Organizations are increasingly storing and accessing data in SaaS applications, which is becoming a popular target for ransomware groups.

The Attack Technique

The threat actor began by obtaining a poorly secured service account credential belonging to one of the victim organization’s Microsoft Global administrators. The breached account was accessible from the public Internet and did not have multi-factor authentication (MFA) enabled, which is a basic security necessity, especially for privileged accounts. The attacker then used the compromised account to create a new Active Directory user, called “0mega,” and grant it with Global Admin, SharePoint Admin, Exchange Admin, and Teams Administrator permissions. Furthermore, the attacker used the compromised admin credential to grant the 0mega account with site collection administrator capabilities within the organization’s SharePoint Online environment and to remove all other existing administrators, leaving the victim organization in a state of total takeover.

The Exfiltration Technique

The 0mega group then exfiltrated hundreds of files from the victim organization’s SharePoint Online libraries and sent them off to a virtual private server (VPS) host associated with a Web hosting company in Russia. To facilitate the exfiltration, the threat actor used a publicly available Node.js module called “sppull” that allows developers to interact with SharePoint resources using HTTP requests. As its maintainers describe the module, sppull is a “simple client to pull and download files from SharePoint.” Once the exfiltration was complete, the attackers used another Node.js module called “got” to upload thousands of text files to the victim’s SharePoint environment that informed the organization of what had just happened.

An Unusual Attack Technique

Usually, in attacks targeting SaaS applications, ransomware groups compromise an endpoint and then encrypt or exfiltrate files, leveraging lateral movement as necessary. However, in this case, the attackers used compromised credentials to log into SharePoint Online, granted administrative privileges to a newly created account, and then automated data exfiltration from that new account using scripts. The threat actor executed the entire attack without compromising an endpoint or using a ransomware executable. According to Glenn Chisholm, co-founder and CPO at Obsidian, the security firm that discovered the attack, “to the best of our knowledge, this is the first publicly recorded instance of automated SaaS ransomware extortion occurring.”

The Target

The 0mega ransomware group’s target was an unnamed company, underscoring the confidentiality and sensitivity of the information targeted. Obsidian has observed more attacks targeting enterprise SaaS environments in the last six months than in the previous two years combined. Many organizations are increasingly putting regulated, confidential, and other sensitive information into SaaS applications without implementing the same kind of controls as they are on endpoint technologies. This growing trend is becoming a concern as SaaS attacks increase.

The Trend

AppOmni has reported a 300% uptick in SaaS attacks since March 1, 2023, on Salesforce Community Sites, and other SaaS applications, with the primary attack vectors including excessive guest user permissions, excessive object and field permissions, lack of MFA, and overprivileged access to sensitive data. Odaseva conducted a study last year that found 48% of respondents saying their organization had experienced a ransomware attack over the preceding 12 months, and SaaS data was the target in more than half (51%) of the attacks.

Advice for Organizations

Endpoint Security Is Not Enough

This attack highlights the reality that endpoint security is not enough, especially for companies now storing and accessing data in SaaS applications. Organizations need to understand the importance of securing their cloud environments.

The Need for MFA and Other Security Basics

Organizations must implement multi-factor authentication (MFA) and other basic security controls. The need for MFA must be communicated to companies, and it should be made compulsory, especially for privileged accounts. Organizations should equip themselves with modern, proactive risk management tools to protect their entire SaaS environment.

Internal Policies

Organizations also need to implement internal policies that limit and control access to particularly sensitive information. For instance, limiting the number of admin accounts might be a good start. Furthermore, automating the provisioning process and ensuring that there is a constant audit trail of access requests is needed.

Conclusion

The 0mega ransomware attack highlights the growing trend of SaaS attacks, which are becoming more automated, less dependent on costly application security and more capable. This attack should be a wakeup call to organizations that they need to focus on securing their SaaS applications. As organizations’ reliance on SaaS continues to grow, SaaS environments will become increasingly tempting targets for cybercriminals.