The adoption of SaaS and Cloud applications is nothing new, as 80% of businesses use at least one SaaS app. With remote and flexible work permeating work culture, there’s been an explosion of SaaS usage and SaaS apps. Of course, cybercriminals are masters at pivoting their focus to shifts in technology trends.
There is real evidence highlighting the need to focus more attention on the security of SaaS apps. These 5 attacks (for example) could have been mitigated with effective SaaS security.
The Slack Hack
Between 2019 and 2021, a suspected Iranian state-sponsored threat actor ITG17 (a.k.a. MuddyWater) leveraged free workspaces on Slack to support malicious activity targeting the airline industry. Averaging over 10 million daily active users, Slack provides the opportunity for malware traffic to blend in unnoticed with legitimate traffic. IBM Threat Hunt Researcher, Melissa Frydrych, concurs, “the widespread use of tools such as Slack creates more opportunity for stealth.” MuddyWater made use of a backdoor called Aclip, which uses the Slack API to conduct C2 communications such as receiving requested files and screenshots and post/receive commands via backdoor access.
Keeping apps up-to-date is a key component in preventing malicious activities like Aclip. But another key that many organizations are missing with SaaS cybersecurity is visibility and remediation.
Infiltrating Microsoft Teams
As one of the most widely used collaboration apps today, it’s no surprise to find Microsoft Teams is a target for cybercriminals. It was discovered in January 2022, that thousands of attacks were dropping malicious files in Teams conversations to infect machines with persistent Trojans. Likely, the attackers were hacking email accounts or using stolen Microsoft 365 credentials to access Teams conversations.
These days, employees know the drill to be wary of suspicious emails and have learned the common ways to spot malicious intent. But that diligence and awareness with emails may not cross over to Teams conversations. Cybercriminals have the capability to launch attacks against millions of unsuspecting users via East-West attacks or by using credentials they’ve harvested in phishing attacks. Incidents such as this should propel organizations to expand their cybersecurity awareness training to include collaboration apps such as Teams. A collaborative approach of cybersecurity between security professionals and end-users is the best defense against these attacks.
Dormant Duo MFA
With the increase in cloud computing and remote work, many organizations are using Multi-Factor Authentication (MFA) solutions to increase security to cloud resources. According to industry research, MFA-enabled accounts are up to 99 percent less likely to have an account compromised. However, MFA is not fool-proof as seen from this event in May 2021. Russian state-sponsored attackers took advantage of a dormant account set to default MFA settings and logged in by guessing the password. This allowed them to enroll a new device for MFA for the dormant account and access the company’s network.
The US Cybersecurity and Infrastructure Security Agency (CISA) mitigation recommendations include reviewing configuration policies to protect against “fail open” and re-enrollment scenarios, and ensure inactive accounts are disabled uniformly across infrastructure and MFA systems.
Organizations should take action and prevent events like this by closing out dormant accounts.
In March of this year, Okta Chief Security Officer David Bradbury announced that data of up to 366 customers was breached. An outside contractor for Okta employed an engineer whose laptop had been compromised by a hacking group known as Lapsus$. They posted screenshots of their breach that included images showing Slack channels as well as an interface with Cloudflare.
APT33 Targets Active Directory Federation Services
In 2020, Iranian cyber group, APT33, carried out an espionage type attack. In this particular example, they deployed a password spraying technique against Active Directory Federation Services specifically targeting Outlook and Microsoft 365 accounts. According to researchers, the Holmium group (aka APT33) routinely target aerospace, defense, and energy industries. With access to a compromised account, the group was able to launch a penetration test tool named Ruler and a custom PowerShell backdoor. This enabled them to take control of the endpoint and associated cloud identities.
The attackers could then spend hours exploring the network, making a list of user accounts and machines for additional compromise, and gain lateral movement within the system. Microsoft analysts claim recent attacks, “typically took less than a week from initial access via the cloud to obtaining unhampered access and full domain compromise, which then allowed the attackers to stay persistent for long periods of time, sometimes for months on end.”
How Does Wing Protect SaaS Apps?
Visibility and remediation are key components of effective SaaS cybersecurity. With Wing, organizations can finally have these capabilities for their SaaS estate through Wing’s innovative SaaS security platform. And to further make sure that SaaS usage is indeed secured, security leaders can use Wing to set up automatic remediation of vulnerabilities with just a few clicks. This means your automated remediation can be ready for handling the issues it finds, from managing user inconsistencies and handling outdated permissions, to shutting down risky App2App connections. Access can then be immediately modified or revoked to mitigate any potential threats. Get alerts on public shares that haven’t been accessed in a while and then automatically have all those shares unshared, which quickly closes what would otherwise be many backdoors left open.
Wing’s ethos of a collaborative approach to SaaS cybersecurity can create a strong security culture across an organization where end users, your employees, are part of the security circle. Pairing that mindset with Wing’s holistic SaaS cybersecurity solution allows organizations to empower users to take action using their expanded knowledge of what they are working on, to help prevent certain issues that could otherwise arise from having an automated security system.
Wing Security is simple to use, and easy to deploy. The intuitive interface enables comprehensive visibility, analysis, and automated remediation of SaaS cybersecurity without the headache of proxies or other intrusive behavior.
Let Wing help you make 2022 the year of SaaS cybersecurity success!