First Ever SaaS Ransomware Attack Leveraged SharePoint Online

The Obsidian cybersecurity firm has recently documented a successful ransomware attack targeting Sharepoint Online (Microsoft 365). 

The hackers stealthily exploited a Microsoft Global SaaS admin account in a departure from the standard compromised endpoint route.

The victim sought assistance from Obsidian’s product and research team to investigate the attack in-depth after the compromise and fix the event’s outcomes.

The identity of the victim remains undisclosed by Obsidian, but their investigation strongly suggests the involvement of the notorious 0mega group in the attack.

SaaS Ransomware Attack

Now, at this point, to get elevated privileges to multiple Sharepoint sites, the attacker creates a new Active Directory (AD) user (Omega) just after the successful infiltration.

Here below, we have mentioned the abilities and privileges:-

  • Global Administrator
  • SharePoint Administrator
  • Exchange Administrator
  • Teams Administrator
  • Site collection administrator capabilities

Within just two hours, the attacker systematically eliminated more than 220 administrators, leaving a trail of authority voids in their path.

While apart from this, thousands of “PREVENT-LEAKAGE.txt” files were uploaded by the threat actor just after the exfiltration of the hundreds of files.

The purpose of these files was twice:- 

  • First, to notify the victim about the theft.
  • Second, to establish a communication channel with the attacker for potential negotiations regarding payment to prevent the disclosure of sensitive information.

The attacker suggests a high interest in using this capability in future scenarios by dedicating time to constructing automation specifically for this attack.

There is a growing trend favoring the exclusive use of data theft instead of combining theft with encryption.

This approach bypasses the potential traps of failed decryption attempts, thereby safeguarding the threat actors’ reputations while simplifying the overall administration process.

In July 2022, Omega emerged into the public eye following a report highlighting its utilization of double extortion.

If Omega is indeed the liable party, as claimed by Obsidian, the data leaks site could potentially disclose the victim’s identity if they opt not to fulfill the ransom demands.

Detection Opportunities

Here below, we have mentioned all the key detection opportunities:-

  • Alert on service accounts
  • Alert on new AD users
  • Alert on new AD groups
  • Alert on Sharepoint Files
  • Alert on User-Agent

SaaS solutions receive substantial investments from companies, ranging from hundreds of thousands to millions of dollars. 

They charge these platforms with regulated, confidential, and other sensitive information crucial to their business operations.

To manage the risks robustly, it is strongly recommended to enhance the SaaS controls, mitigate excessive privileges, and revoke unauthorized integrations or involve high risk.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.