微软发布警告：黑客利用OAuth进行加密货币挖矿和网络钓鱼

Microsoft has warned that adversaries are using OAuth applications as an automation tool to deploy virtual machines (VMs) for cryptocurrency mining and launch phishing attacks.

Microsoft警告称，对手正在将OAuth应用程序作为自动化工具，用于部署用于加密货币挖矿和发起网络钓鱼攻击的虚拟机。

"Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious activity," the Microsoft Threat Intelligence team said in an analysis.

Microsoft威胁情报团队在一篇分析中表示：“威胁行为者通过篡改用户帐户来创建、修改和授予OAuth应用程序高权限，以便滥用其隐藏恶意活动。”

"The misuse of OAuth also enables threat actors to maintain access to applications even if they lose access to the initially compromised account."

“OAuth的滥用还使威胁行为者能够在失去对最初受损帐户的访问权限的情况下保持对应用程序的访问权限。”

OAuth, short for Open Authorization, is an authorization and delegation framework (as opposed to authentication) that provides applications the ability to securely access information from other websites without handing over passwords.

OAuth，全称Open Authorization，是一种授权和委托框架（与身份验证相对），它为应用程序提供了安全访问其他网站信息的能力，而无需提供密码。

In the attacks detailed by Microsoft, threat actors have been observed launching phishing or password-spraying attacks against poorly secured accounts with permissions to create or modify OAuth applications.

在Microsoft详细描述的攻击中，威胁行为者已被观察到对安全性较差的带有创建或修改OAuth应用程序权限的帐户发起网络钓鱼或密码喷洒攻击。

One such adversary is Storm-1283, which has leveraged a compromised user account to create an OAuth application and deploy VMs for cryptomining. Furthermore, the attackers modified existing OAuth applications to the account had access to by adding an extra set of credentials to facilitate the same goals.

Storm-1283是这样一个对手，利用被入侵的用户帐户创建OAuth应用程序并部署虚拟机进行加密货币挖矿。此外，攻击者修改了现有的OAuth应用程序，通过添加额外的凭据来实现相同的目标。

In another instance, an unidentified actor compromised user accounts and created OAuth applications to maintain persistence and to launch email phishing attacks that employ an adversary-in-the-middle (AiTM) phishing kit to plunder session cookies from their targets and bypass authentication measures.

在另一种情况下，一个未知的行为者入侵了用户帐户并创建了OAuth应用程序，以保持持久性并发动电子邮件网络钓鱼攻击，利用中间人（AiTM）网络钓鱼工具从目标中窃取会话cookie并绕过身份验证措施。

"In some cases, following the stolen session cookie replay activity, the actor leveraged the compromised user account to perform BEC financial fraud reconnaissance by opening email attachments in Microsoft Outlook Web Application (OWA) that contain specific keywords such as 'payment' and 'invoice," Microsoft said.

“在某些情况下，随着被盗的会话cookie的重放活动，行为者利用被入侵的用户帐户执行BEC金融欺诈侦察，方法是在Microsoft Outlook Web Application (OWA)中打开电子邮件附件，其中包含特定关键词，如'payment'和'invoice'，”Microsoft表示。

Other scenarios detected by the tech giant following the theft of session cookies involve the creation of OAuth applications to distribute phishing emails and conduct large-scale spamming activity. Microsoft is tracking the latter as Storm-1286.

在追踪会话cookie被盗之后，技术巨头检测到的其他情景包括创建OAuth应用程序以分发网络钓鱼电子邮件并进行大规模的垃圾邮件活动。Microsoft将后者跟踪为Storm-1286。

To mitigate the risks associated with such attacks, it's recommended that organizations enforce multi-factor authentication (MFA), enable conditional access policies, and routinely audit apps and consented permissions.

为减轻与此类攻击相关的风险，建议组织实施多因素身份验证（MFA），启用有条件的访问策略，并定期审核应用程序和已同意的权限。

原文始发于微信公众号（知机安全）：微软发布警告：黑客利用OAuth进行加密货币挖矿和网络钓鱼