Well-Known Hacking Group Exploits Third-Party Apps and OAuth What do the DNC hacks and the current attempts by hackers to interfere with the French election have in common? Give up?…

Well-Known Hacking Group Exploits Third-Party Apps and OAuth

CloudLock CyberLab

Founded by Israeli Elite Cybersecurity Military Intelligence experts, the CloudLock CyberLab is a global team of leading security experts, analysts, penetration testers, incident responders, forensic investigators and security researchers focused on driving unique insight into cybersecurity threats related to the cloud.


What do the DNC hacks and the current attempts by hackers to interfere with the French election have in common?

Give up? They both use Open Authorization (or OAuth) to gain what many would consider excessive levels of information about users, and various news outlets featured stories on each recently.

So What’s This About OAuth and Hacking?

Infamous hacking group Fancy Bear (alternately known as Pawn Storm and APT 28), believed to be behind the DNC hacks, has been using OAuth-connected, third-party cloud apps to support their attacks.

Fancy Bear is now suspected to be interfering with the current presidential elections in France. In short, OAuth-connected cloud apps are continuing to gain recognition as a unusual and highly risky threat vector.

What Exactly is a Connected Third-Party App? Why Are They Dangerous?

Cisco Cloudlock has discovered over 275,000 unique, OAuth-connected cloud applications, with organizations having an average of 750 unique OAuth-enabled applications in their environment.

As reported in the Q2 2016 Cloud Cybersecurity Report, over one in four of the applications are considered high-risk due to the extremely high level of permissions users grant to the application, often including full access to the files within their cloud environment and the ability to modify, delete, and externalize files.

Some applications are benign in intent but request excessive permissions to function, while others are malicious in intent, aimed at leveraging the permissions granted to them to accomplish nefarious tasks.

The danger is only increased by the fact that standard best practices and security tools won’t help. The risk of the applications is unique, as they may be self-enabled (or “connected”) off the corporate network.

This off-network, cloud-to-cloud traffic is a blind spot for the vast majority of organizations today. Changing passwords, meanwhile, won’t solve the problem, as these applications persist until the token they have been granted is removed.

What Can Be Done?

Cisco Cloudlock (formerly CloudLock) has been defending against malicious and excessively privileged OAuth-connected applications for years. As a cloud-native, API-based Cloud Access Security Broker (CASB), Cisco Cloudlock offers Apps Firewall, which enables organizations to gain visibility into and control over this incredibly risky form of Shadow IT.

Cisco Cloudlock provides intelligence to assess application risk, including the access scope of the application, a risk level score, and the Community Trust Rating (CTR), a crowdsourced security risk rating of third-party applications based on anonymized user data (how many users have trusted versus banned the application).

Browser Not Supported

Your browser version is outdated.

We would recommend you upgrade to a recent version to ensure that you have a good experience on the CloudLock site. Outdated browsers also increase your security risk. So please update your browser and come back later!

Click on the icon below to download the latest version of your browser