Attack campaign involving stolen OAuth user tokens issued to two third-party integrators


The cloud has brought us a huge range of security improvements, but the convenience has a hidden downside – The ease of use also means it’s easier to make a security oversight, like failing to audit, monitor, or expire Oauth keys.

When Oauth keys like the ones used in the recent attack over the weekend can’t be stolen from a database or poorly-permissioned repository they are often gleaned from the client-side using malware or browser-based attacks, then collected and aggregated by Initial Access Brokers, and on-sold to those who need to use them for a specific attack. I suspect that is what has happened here, and the important lesson is that this type of layered-threat is a present and active risk for anything hosted in the cloud.