The below bullets summarize the post.

1. A ransomware group named 0mega conducted a successful extortion attack on a company's SharePoint Online environment without the need for endpoint compromise.
2. The attackers infiltrated the victim's environment via a weakly secured administrator account, elevated their permissions, and exfiltrated sensitive data from the SharePoint libraries.
3. The compromised account was publicly accessible and did not have multi-factor authentication enabled. The threat actor created an Active Directory user with comprehensive administrative permissions.
4. Using the permissions, the attacker exfiltrated hundreds of files from the SharePoint Online libraries and transferred them to a Russian-based virtual private server host.
5. The operation was conducted without endpoint compromise or using a ransomware executable, potentially marking it as a first-of-its-kind SaaS ransomware extortion.
6. The past six months have seen a significant increase in attacks on enterprise SaaS environments, mainly due to the storage of sensitive data in SaaS applications without adequate controls.
7. The rising trend in SaaS attacks calls for organizations to implement robust risk management tools across their entire SaaS environment.

In a significant departure from the norm, a ransomware group named 0mega managed to execute a successful extortion attack against a company's SharePoint Online environment without having to compromise an endpoint. This innovative modus operandi subverted the traditional ransomware route of endpoint compromise, indicating that we need to shift our cybersecurity perspectives.

According to security firm Obsidian, 0mega infiltrated the victim's environment through a weakly secured administrator account rather than a compromised endpoint, subsequently elevating permissions and extracting sensitive data from the SharePoint libraries. It then used this data to extort the unnamed company into paying a ransom.

A Disturbingly Unique Cybersecurity Breach

The attack is of particular concern because it highlights a chink in the armor of endpoint-focused cybersecurity strategies. Glenn Chisholm, co-founder and CPO at Obsidian, emphasizes that "this attack shows that endpoint security isn't enough, as many companies are now storing and accessing data in SaaS applications."

A close look at this cybersecurity breach revealed that an actor from the 0mega group exploited a service account credential that lacked robust security, giving them access to a Microsoft Global administrator account. This administrator account was accessible via the public Internet and lacked multi-factor authentication (MFA) - a fundamental security requirement for privileged accounts.

The threat actor then created an Active Directory user named "0mega" and proceeded to grant it all necessary permissions to create havoc. These permissions ranged from Global Admin to SharePoint Admin, Exchange Admin, and Teams Administrator. To amplify the damage, the attacker provided the 0mega account with site collection administrator capabilities within SharePoint Online and removed all other existing administrators.

200 Admin Accounts Removed in 2 Hours

The actor removed approximately 200 administrator accounts in a mere two hours using the compromised admin credential. Equipped with self-assigned privileges, the actor then downloaded hundreds of files from the SharePoint Online libraries, transferring them to a Russian-based virtual private server (VPS) host.

The exfiltration process was facilitated through a public Node.js module called "sppull," a simple client for downloading files from SharePoint. Post-exfiltration, the attackers uploaded thousands of text files informing the victim of the completed operation.

SaaS Ransomware Extortion: A New Threat?

In general, ransomware groups target SaaS applications by compromising an endpoint, then encrypting or exfiltrating files. However, in this instance, "the attackers used compromised credentials to log into SharePoint Online, granted administrative privileges to a newly created account, and then automated data exfiltration from that new account using scripts on a rented host," explains Chisholm.

Interestingly, the entire operation was conducted without compromising an endpoint or using a ransomware executable, marking it as a potential first-of-its-kind SaaS ransomware extortion.

The Rising Threat to SaaS Environments

The last six months have seen a significant rise in attacks targeting enterprise SaaS environments. Chisholm attributes this to organizations increasingly storing regulated and sensitive data in SaaS applications without implementing robust controls like those on endpoint technologies. "This is just the latest threat technique we're seeing from bad actors. Organizations need to be prepared and ensure they have the right proactive risk management tools in place across their entire SaaS environment."

In fact, AppOmni has reported a 300% increase in SaaS attacks since March 1, 2023, primarily due to excessive user permissions, lack of MFA, and overprivileged access to sensitive data. In addition, a study conducted by Odaseva revealed that 48% of respondents had experienced a ransomware attack in the previous 12 months, with SaaS data being the primary target in over half of the attacks.

This event is a wake-up call for organizations to strengthen their SaaS security measures, as threat actors continue to innovate in their pursuit of data and disruption.

‍