Update: nOAuth Vulnerability Still Threatens Microsoft Entra SaaS Apps and Broader Identity Systems
Despite being publicly disclosed in mid-2023, the nOAuth vulnerability continues to affect a significant portion of Microsoft Entra-integrated SaaS applications. A recent review by Semperis found that 9% of the 104 applications tested still allow attackers to exploit weak OpenID Connect (OIDC) implementations. The core issue lies in how these apps identify users—relying on email addresses instead of the correct combination of subject and issuer claims. Because Entra ID permits accounts to have unverified email addresses, attackers can modify their account's mail attribute to match a victim’s email and then use "Log in with Microsoft" to impersonate the victim. If the app supports multiple identity providers, the attacker’s email-based login could bypass normal protections entirely, especially when both the attacker and victim belong to different Entra tenants. This makes the attack trivial to execute, difficult to trace, and highly effective at gaining unauthorized access to SaaS environments. Microsoft reiterated its previous guidance in response to Semperis' report, emphasizing that developers must avoid using non-compliant identifiers and instead enforce strict user validation. However, the responsibility falls entirely on app developers, as customers using these vulnerable apps cannot detect or mitigate the threat on their own. Organizations must demand stronger compliance from vendors and ensure any application accessing sensitive data enforces secure, immutable identity verification methods.
Threat Actors Abuse ScreenConnect to Deliver Signed Remote Access Malware
Threat actors are actively weaponizing the ConnectWise ScreenConnect installer to deploy signed remote access malware through a method known as Authenticode stuffing. This tactic involves modifying hidden configuration data stored in the certificate table of a digitally signed installer without breaking the signature's validity. ScreenConnect, widely used by IT administrators and managed service providers for remote device management, allows for the pre-configuration of installers with server addresses, UI text, and branding. These parameters, embedded in the certificate section of the file, can be manipulated to redirect a legitimate-looking client to an attacker-controlled infrastructure. G DATA observed samples where every section of the file remained unchanged except for the certificate table, which was altered to point to malicious servers. This manipulation allows attackers to retain the appearance of a signed, trusted application while subverting its intended use for stealthy access. Initial infections can be traced back to phishing attacks that delivered booby-trapped installers through malicious PDFs or Canva links, ultimately redirecting victims to payloads hosted on Cloudflare’s R2 platform. One observed sample, disguised as a "Request for Proposal[.]exe," connected back to an attacker’s server under the relay[.]rachael-and-aidan.co[.]uk domain. G DATA’s investigation revealed that these installers were customized to display misleading titles, such as "Windows Update," and fake update screens to trick users into thinking the tool was legitimate. Despite identifying and flagging the malware as Win32[.]Backdoor[.]EvilConwi[.]* and Win32[.]Riskware[.]SilentConwi[.]*, G DATA received no formal response from ConnectWise, although the abused certificate had been revoked. These developments underscore the risks associated with downloading remote access and VPN tools from unofficial sources and the need for stricter control over how signed installers are handled and verified.
Hive0154 Launches Targeted Pubload Malware Attacks Against Tibetan Community
In 2025, IBM X-Force identified a series of cyberattacks led by the China-linked group Hive0154, aimed primarily at the Tibetan community. Hive0154 used phishing emails with content referencing key political and cultural issues to build credibility with targets. Victims were lured into opening emails with ZIP or RAR files hosted on Google Drive, which contained a mix of benign and malicious components. The attackers relied on DLL sideloading, using vulnerable legitimate executables to silently run Claimloader, a loader that decrypts and launches the Pubload malware using TripleDES encryption. Once active, Pubload injects itself into memory and downloads an additional tool named Pubshell, which provides attackers with direct remote access through a reverse shell. The malware evades detection by dynamically resolving API functions and executing payloads using callback routines, demonstrating a higher level of technical maturity. The campaign’s impact goes beyond Tibetans, with evidence of similar tactics used against targets like the U.S. Navy, suggesting a broader intelligence-gathering mission. Infected files submitted from India point to geographic targeting aligned with the Tibetan government-in-exile’s presence. Hive0154 has also repurposed genuine Tibetan website material to make the malware-laced documents appear more trustworthy. Given the overlap with other known Chinese APT groups and the group's continued refinement of malware, organizations are advised to closely inspect file downloads, especially those originating from cloud platforms, and monitor for unusual, encrypted traffic patterns.
