Automated SaaS Ransomware Extortion: First of Its Kind Attack

The 0mega ransomware group has successfully carried out an automated SaaS ransomware extortion attack against a company’s SharePoint Online environment without using a compromised endpoint, which is usually how the episodes unfold. Instead, the threat operating group appears to have infiltrated the unnamed company’s environment, elevated permissions, and exfiltrated sensitive data from victims’ SharePoint libraries using a weakly secured administrator account. The information was used to extort the victims into paying a ransom.

Automated SaaS Ransomware Extortion Tactic

A cybersecurity company discovered the automated SaaS ransomware extortion attack, which merits attention because most companies attempt to address the ransomware threat by relying on endpoint protection methods. Companies have been using endpoint security investments to prevent or mitigate ransomware group attacks. The automated SaaS ransomware extortion attack demonstrates that endpoint security is insufficient, as many companies now store and access data in SaaS applications. The automated SaaS ransomware extortion attack occurred when an 0mega group threat actor obtained a poorly secured services account credential belonging to one of the victim company’s Microsoft Global administrators. The breached account was accessible from the public Internet and lacked multi-factor authentication (MFA), which most security experts say is a minimum security requirement, particularly for privileged accounts.

The threat actor exploited the compromised account to develop an Active Directory user called “0mega” and granted the new account all the permissions required to wreak havoc in the environment. The permissions can include a Global Admin, SharePoint Admin, Exchange Admin, and Teams Administrator. Additionally, the threat actor used the compromised admin credential to grant the 0mega account site collection administrator capabilities within the company’s SharePoint Online environment and to remove all other current administrators. A site collection is a group of websites within a Web application that share administrative settings and are owned by the same person. Site collections are more typical in large companies with various business activities and departments or companies with highly massive data sets. In the automated SaaS ransomware extortion attack one cybersecurity company analyzed, 0mega threat actors used the compromised admin credential to deactivate 200 administrator accounts in less than two hours. When the exfiltration was finished, the threat operators switched to another node.js module called “got,” which uploaded thousands of text files to the victims’ SharePoint environment, informing the company of what had just occurred.

Typically, ransomware groups compromise endpoints and encrypt or exfiltrate files, utilizing lateral movement as needed. The threat operators used compromised credentials to log into SharePoint Online, granted administrative privileges to a newly created account, and automated data exfiltration from the new account using scripts on a rented host provided by VDSinra.ru. The threat actor carried out the attack without compromising endpoints or employing a ransomware executable. This is the publicly recorded instance of automated SaaS ransomware extortion. More attacks have been targeting companies’ SaaS environments in the last six months than in the previous two years combined. The growing threat operators’ interest originates from companies increasingly putting regulated, confidential, and other sensitive data into SaaS applications without applying the same controls they do on endpoint technologies.

The latest threat techniques are observed from threat actors, and companies must be prepared to ensure that the right proactive risk management tools are in place across their entire SaaS environment. There has been a 300% increase in SaaS attacks since March 1, 2023, on Salesforce Community Sites and other SaaS applications. The primary attack vectors have been excessive guest user rights, object and field permissions, lack of MFA, and overprivileged access to sensitive data. 48% of respondents said their companies had experienced a ransomware attack in the previous 12 months, with SaaS data being the target in more than half (51%) of the attacks.

With the recent development of an automated SaaS ransomware extortion tactic used by threat operators, it’s now more critical for companies to remain vigilant of the latest landscape and implement an extra layer of security, including multi-factor authentication. SpearTip’s engineers have the expertise to integrate MFA quickly and seamlessly into your current systems. This enables you to enhance your security posture immediately. SpearTip offers flat-rate implementation services based on the number of users you have. Typically, the number of users equals the number of employees you have. SpearTip’s proactive remediation team will identify the systems requiring MFA and develop a plan to implement the MFA tailored to your environment and needs. During the implementation, we can serve as an additional resource for your current help desk or IT MSP to address questions from users about the MFA solution. SpearTip can help train your users in the new MFA solution for a seamless rollout and ensure your IT team knows how to administer the latest systems and configurations.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.