2022’s Most Shocking SaaS App Attacks – and How to Prevent Them
Software-as-a-Service (SaaS) solutions offer tremendous benefits to enterprise organizations, allowing companies to provide state-of-the-art cloud-based tools to empower their end users. As a result, many businesses feel safe having their data and software solutions maintained by hyper-scale cloud providers. However, they can and do fall victim to breaches. Let’s look at some of the most shocking SaaS app attacks in 2022 and how businesses can protect themselves.
Are SaaS environments immune to a security breach?
Organizations may assume attackers will never breach SaaS environments. After all, a primary reason for migrating to the cloud for many companies is the benefit of having the underlying infrastructure security taken care of as part of the solution. But, contrary to popular belief, SaaS environments are not infallible. Breaches can and do happen.
After all, cloud SaaS environments are located in someone else’s data center with underlying infrastructure that admins must keep patched, properly configured and can be vulnerable to the same risks of zero-day threats, third-party vendors, etc. Additionally, attackers can target employees of cloud vendors to compromise their accounts and gain a foothold inside the infrastructure.
A slight security misstep, misconfiguration, or lax security for privileged accounts may be all attackers need to breach a cloud SaaS service, threatening your data and sensitive information.
2022’s most shocking SaaS app attacks
When cloud SaaS environments located in hyperscale data centers are breached, it can be shocking to organizations who may have entrusted their data to SaaS vendors. Note the following three SaaS attacks that unfolded in 2022 and what businesses can learn from these:
- Microsoft LAPSUS$ breach
- Okta privileged user breach
- Hubspot super admin account breached
Microsoft LAPSUS$ breach
In March 2022, Microsoft was targeted by DEV-0537, a.k.a LAPSUS$, suffering an account compromise and stolen source code. In the aftermath, Microsoft was adamant the attack didn’t compromise any user information and that there was no risk to any Microsoft products. DEV-0537 heavily uses social engineering to gather information about its targets. They have been known to use MFA bombing to compromise 2FA and have also called help desks to have credentials reset for user accounts.
The group has been known to gather intimate knowledge of employees and group members of employees within an organization to help with social engineering efforts. To compromise credentials, they have been known to target employees’ personal accounts to look for credentials that may be reused with corporate accounts, including SaaS environments.
To bypass MFA, they have been known to use MFA token replay techniques and MFA bombing/MFA fatigue attacks to get employees to consent to MFA prompts, allowing access. They also use the direct approach of enticing users with payment in return for inside information, credentials, access, etc. While Microsoft confirmed the attack didn’t compromise customer data or their solutions, it highlights security risks that organizations must consider.
For businesses thinking about how they improve their overall security and SaaS cybersecurity posture, Microsoft recommends the following:
- Implement MFA on everything
- Use hardware FIDO tokens
- Leverage passwordless authentication methods where possible
- Implement risk policies to block high-impact user actions
- To help users with cybersecurity training with a focus on social engineering attacks
- Use modern VPN authentication leveraging SAML or OAuth
OKTA privileged user breach
In January 2022, access management giant Okta was compromised due to a security incident involving a third-party vendor used by Okta for customer support. After LAPSUS$ breached the Sitel network, attackers gained access to a workstation of a Sitel support engineer with access to Okta resources.
According to Okta, attackers could not perform configuration changes, MFA or password resets, or customer support impersonation events due to the access safeguards between Sitel systems and Okta.
The incident with Okta helps to illustrate the security risks that third-party vendors can pose. Often organizations are only as secure as the third-party vendors they use.
What lessons are learned for organizations using SaaS environments?
- Organizations must secure privileged user devices, as simply securing the SaaS service itself isn’t enough to completely protect the environment.
- Protecting accounts and changes with MFA is of utmost importance. Businesses can’t rely on SSO alone and need to ensure MFA is implemented across the board.
- Monitor user activities – Okta discovered the breach from Sitel when unexpected changes appeared for event monitoring logs. It underscores the need to monitor event logs and other infrastructure events, as these often reveal the telltale signs of an attacker breaching the network.
Hubspot super admin account breached
Hubspot, a CRM platform as-a-Service solution, was breached on March 15, 2020. A threat actor using social engineering compromised an employee account, including MFA authentication. Over the next three days, the attack performed reconnaissance and exfiltrated data for around 30 customers.
Some reports mention the employee was willingly involved in the attack and was complicit in the actions carried out by the attackers. The attack concentrated on customer accounts in the cryptocurrency industry and used a so-called “super admin” account with high-level permissions across environments.
Hubspot investigated with the assistance of a third-party forensics firm and reached out to those customers affected by the breach. They also recommended disabling the “Hubspot Employee Access” control in the customer’s Hubspot account settings. As noted by Hubspot, this setting should only be enabled when customers require specific assistance from Hubspot and disabled afterward.
The Hubspot breach underscores the following key takeaways for SaaS security:
- The dangers of social engineering and the importance of employee cybersecurity training
- The need to protect against insider threats
- The importance of monitoring activities, configuration changes, access to resources, etc
SpinOne SaaS security and monitoring
Meeting the challenge of monitoring and securing SaaS environments can be difficult. SpinOne is SaaS Security Posture Management for enterprises. It provides a single pane of glass solution, allowing admins and SecOps complete visibility and control over SaaS data security and monitoring. With SpinOne, organizations can confidently use SaaS offerings, including Google Workspace and Microsoft 365, with the security tools needed to maintain control over their data and SaaS applications. SpinOne allows organizations to:
- View all data shared in the cloud SaaS environment
- View ownership of files
- Audit users and shared data
- Apply rules to files based on SpinOne security policies
- Quickly see files that are shared externally in SaaS environments
- Discover sensitive information, including credit card numbers (CCNs) shared using email
- View and sort data by an individual
- Generate data audit reports
Click here to learn more.
Was this helpful?
How Can You Maximize SaaS Security Benefits?
Let's get started with a live demo
Latest blog posts
With many businesses relying on SaaS environments, SaaS security has become critical. Learn the best practices of SaaS security that […]
The number of ransomware attacks has been growing steadily for the past years. So have the ransom payments. Experts predict […]