"Researchers Report First Instance of Automated SaaS Ransomware Extortion"

The 0mega ransomware group has effectively executed an extortion attack against the SharePoint Online environment of a company without using a compromised endpoint, as is typically the case with these types of attacks. Instead, the threat group appears to have exploited a poorly protected administrator account to infiltrate the environment of the unnamed company, elevate permissions, and ultimately exfiltrate sensitive data from the victim's SharePoint libraries. The stolen information was used to demand a ransom from the victim. According to Glenn Chisholm, cofounder and CPO of Obsidian, the security company that discovered the attack, most enterprise efforts to combat ransomware tend to focus on endpoint protection mechanisms. The attack observed by Obsidian began with a member of the 0mega group obtaining a service account credential for one of the victim organization's Microsoft Global administrators. Not only was the compromised account accessible from the public Internet, but it also lacked multi-factor authentication (MFA). This article continues to discuss the attack that highlights the growing interest among threat actors to target data from Software-as-a-Service (SaaS) providers.

Dark Reading reports "Researchers Report First Instance of Automated SaaS Ransomware Extortion"