A company's SharePoint Online environment has been successfully targeted by the Omega ransomware group to extort money from it. This is instead of using compromised endpoints, the most common method of launching such attacks. The threat group appears to have infiltrated the unnamed company's network using an administrator account with weak security and elevated permissions. It eventually snatched sensitive data from the victim's SharePoint libraries with the help of a weak administrator account. As a result of the theft of data, a ransom was demanded from the victim as a means of extortion. 

Probably the first attack of its kind 

According to Glenn Chisholm, cofounder of the security firm Obsidian, which discovered the attack, most enterprise efforts to counter ransomware focus on endpoint protection mechanisms which is a means of protecting systems from ransomware infections. 

Chisholm explained that the only way companies have mitigated or prevented attacks by malicious ransomware groups is through investments in endpoint security. It is clear from this attack that endpoint security is not sufficient, as many companies now store and access their data via SaaS applications, something that was not the case previously. 

One of the victim organizations whose Microsoft Global administrators were attacked by the Omega group began with a poorly secured credential associated with one of the services accounts belonging to one of the hackers. There was not only a vulnerability in the breached account, but it was also missing multi-factor authentication (MFA) – something that most security experts agree is an essential security measure, particularly for accounts with privileged access to information. 

Threat actors targeted an Active Directory account compromised by the threat actor and created – somewhat brazenly – a new user named "0mega" with all the permissions that were necessary for the new account to wreak havoc in the environment by performing all kinds of malicious activities. As part of these permissions, administrators were granted access to be Global Admins, SharePoint Admins, Exchange Admins, or Teams Administrators. As an additional measure, the threat actor used compromised admin credentials within the organization's SharePoint Online environment. This was done to grant the Omega account the ability to manage site collections. In addition, the threat actor removed any other administrators within the environment. 

The SharePoint term 'site collection' describes a set of websites within a single Web application that is administrated by the same person and that have similar settings and share a common owner. Organizations with large data sets or those with a large number of different business functions have a higher incidence of site collections, while those with large data sets tend to have fewer site collections. 

The attackers behind this attack used some 200 administrator accounts within two hours to remove the compromised admin credentials used in the attack that Obsidian analyzed. A threat actor who possessed the self-assigned privileges in the organization's SharePoint Online libraries then proceeded to take hundreds of files from the libraries and sent them off to a virtual private server (VPS) hosts that are associated with a Russian domain hosting provider. To facilitate the exfiltration of the data, the threat actor implemented a Node.js module called "pull" which can perform HTTP requests on SharePoint resources, to facilitate the exfiltration of the data. The attackers then used another node.js module called "got" to upload thousands of text files to the victim's SharePoint environment as a result of data exfiltration. These text files provided an overview of the situation to the organization, basically telling them what had just occurred. 

It is most common for ransomware groups to attack SaaS applications by compromising an endpoint, encrypting or exfiltrating files, and then leveraging lateral movement as required to further spread their infection, Chisholm explains. A compromised credential was used by the attackers to log into SharePoint Online with administrative privileges, which they granted to a newly created account. The attackers then executed an automated data exfiltration attack on a rented host provided by VDSinra.ru using scripts. In the end, the threat actor did not compromise an endpoint or use any ransomware executables to perform the attack. 

Chislom said that this is the first time an automated SaaS ransomware extortion has been publicly recorded. They believe that it is also the first known instance. 

According to Chisholm, Obsidian has observed more attacks targeting enterprise SaaS environments than in the previous two years combined in the last six months, and the trend is expected to continue. There is an increasing number of attacks linked to the fact that organizations are increasingly putting sensitive, confidential, and regulated information into SaaS applications without assessing how well they protect it, he says. He contends that organizations are not doing the same with endpoint technology as they do with SaaS applications. 

An organization should ensure its SaaS environment has the right proactive risk management tools in place to avoid incidents within the SaaS environment.  Similar trends have been reported by others who have observed the same thing. 

The AppOmni security firm reports that SaaS attacks on Salesforce Community Sites and other SaaS applications have increased by 300% since March 1, 2023, and they have been observed to be on the rise since then. Among the most common attack vectors identified in the past are excessive permissions granted to guests, excessive permissions granted to objects and fields, and privileged access to sensitive data. 

According to an Odaseva report published last year, 48% of respondents said that over the past year, their organization had been hit by a ransomware attack. SaaS data has been the target of more than half of those attacks (51%).