Researchers Report First Instance of Automated SaaS Ransomware Extortion

The 0mega ransomware group has successfully pulled off an extortion attack against a company's SharePoint Online environment without needing to use a compromised endpoint, which is how these attacks usually unfold. Instead, the threat group appears to have used a weakly secured administrator account to infiltrate the unnamed company's environment, elevate permissions, and eventually exfiltrate sensitive data from the victim's SharePoint libraries. The data was used to extort the victim to pay a ransom.

Likely First of its Kind Attack

The attack merits attention because most enterprise efforts to address the ransomware threat tend to focus on endpoint protection mechanisms, says Glenn Chisholm, cofounder and CPO at Obsidian, the security firm that discovered the attack.

"Companies have been trying to prevent or mitigate ransomware-group attacks entirely through endpoint security investments," Chisholm says. "This attack shows that endpoint security isn't enough, as many companies are now storing and accessing data in SaaS applications."

The attack that Obsidian observed began with an 0mega group actor obtaining a poorly secured service account credential belonging to one of the victim organization's Microsoft Global administrators. Not only was the breached account accessible from the public Internet, it also did not have multi-factor authentication (MFA) enabled — something that most security experts agree is a basic security necessity, especially for privileged accounts.

The threat actor used the compromised account to create an Active Directory user — somewhat brazenly — called "0mega" and then proceeded to grant the new account all the permissions needed to create havoc in the environment. These included permissions to be a Global Admin, SharePoint Admin, Exchange Admin, and Teams Administrator. For additional good measure, the threat actor used the compromised admin credential to grant the 0mega account with so-called site collection administrator capabilities within the organization's SharePoint Online environment and to remove all other existing administrators.

In SharePoint-speak, a site collection is a group of websites within a Web application that share administrative settings and have the same owner. Site collections tend to be more common in large organizations with multiple business functions and departments, or among organizations with very large data sets.

In the attack that Obsidian analyzed, 0mega threat actors used the compromised admin credential to remove some 200 administrator accounts within a two-hour period.

Armed with the self-assigned privileges, the threat actor then helped themselves to hundreds of files from the organization's SharePoint Online libraries and sent them off to a virtual private server (VPS) host associated with a Web hosting company in Russia. To facilitate the exfiltration, the threat actor used a publicly available Node.js module called "sppull" that, among other things, allows developers to interact with SharePoint resources using HTTP requests. As its maintainers describe the module, sppull is a "simple client to pull and download files from SharePoint."

Once the exfiltration was complete, the attackers used another node.js module called "got" to upload thousands of text files to the victim's SharePoint environment that basically informed the organization of what had just happened.

No Endpoint Compromise

Usually, in attacks targeting SaaS applications, ransomware groups compromise an endpoint and then encrypt or exfiltrate files, leveraging lateral movement as necessary, Chisholm says. "In this case, the attackers used compromised credentials to log into SharePoint Online granted administrative privileges to a newly created account, and then automated data exfiltration from that new account using scripts on a rented host provided by VDSinra.ru." The threat actor executed the whole attack without compromising an endpoint or using a ransomware executable. "To the best of our knowledge, this is the first publicly recorded instance of automated SaaS ransomware extortion occurring," he says.

Chisholm says Obsidian has observed more attacks targeting enterprise SaaS environments in the last six months than in the previous two years combined. Much of the growing attacker interest stems from the fact that organizations are increasingly putting regulated, confidential, and other sensitive information into SaaS applications without implementing the same kind of controls as they are on endpoint technologies, he says. "This is just the latest threat technique we're seeing from bad actors," he says. "Organizations need to be prepared and ensure they have the right proactive risk management tools in place across their entire SaaS environment."

Others have reported observing a similar trend. According to AppOmni there has been a 300% uptick in SaaS attacks just since March 1, 2023 on Salesforce Community Sites and other SaaS applications. The primary attack vectors have included excessive guest user permissions, excessive object and field permissions, lack of MFA, and overprivileged access to sensitive data. A study that Odaseva conducted last year had 48% of respondents saying their organization had experienced a ransomware attack over the preceding 12 months and SaaS data was the target in more than half (51%) of the attacks.