Early in 2024, Wing Security released its State of SaaS Security report, offering surprising insights into emerging threats and best practices in the SaaS domain. Now, halfway through the year, several SaaS threat predictions from the report have already proven accurate. Fortunately, SaaS Security Posture Management (SSPM) solutions have prioritized mitigation capabilities to address many of these issues, ensuring security teams have the necessary tools to face these challenges head-on.
In this article, we will revisit our predictions from earlier in the year, showcase real-world examples of these threats in action, and offer practical tips and best practices to help you prevent such incidents in the future.
It's also worth noting the overall trend of an increasing frequency of breaches in today's dynamic SaaS landscape, leading organizations to demand timely threat alerts as a vital capability. Industry regulations with upcoming compliance deadlines are demanding similar time-sensitive breach reporting. These market changes mean that easy, quick, and precise threat intelligence capabilities have become especially essential for all organizations utilizing SaaS, in addition to understanding the specific threat types detailed below.
Threat Prediction 1: Shadow AI
A communications platform's hidden use of AI
In May 2024, a major communication platform faced backlash for using user data from messages and files to train machine learning models for search and recommendations. This practice raised significant data security concerns for organizations, as they were worried about the potential exposure and misuse of their sensitive information. Users felt they were not properly informed about this practice, and the opt-out process was inconvenient. To address these concerns, the platform clarified its data usage policies and made opting out easier.
Why This Matters
This lack of effective transparency around AI use in SaaS applications is worrying. With over 8,500 apps having embedded generative AI capabilities and six out of the top ten AI apps leveraging user data for training, the potential for "Shadow AI" – unauthorized AI usage – is everywhere.
SaaS services these days are easily onboarded into organizations, and the terms and conditions are often overlooked. This behavior opens the door for thousands of SaaS apps to access a goldmine of sensitive, private company information and potentially train AI models on it. The recent controversy over the use of customer data for machine learning shows just how real this threat is.
Combating Shadow AI with Automated SSPM
Organizations should take several steps to enhance their security against potential AI threats. First, regain control over AI usage by uncovering and understanding all AI and AI-powered SaaS applications in use. Second, it is critical to identify app impersonation by monitoring for the introduction of risky or malicious SaaS, including AI apps that mimic legitimate versions. Finally, AI remediation can be automated by utilizing tools that offer automated remediation workflows to swiftly address any identified threats.
Threat Prediction 2: Supply Chain
Threat Actors Target a Popular Cloud Storage Company
A recent data breach at a cloud-based service has been brought to light. It was discovered on April 24, 2024, and disclosed on May 1st. The breach involved unauthorized access to customer credentials and authentication data. It is suspected that a service account used for executing applications and automated services within the backend environment was compromised, leading to the exposure of customer information such as emails, usernames, phone numbers, hashed passwords, as well as data essential for third-party integration like API keys and OAuth tokens.
Why This Matters
Periodic checks of the SaaS supply chain are simply not enough. Employees can easily and quickly add new services and vendors to their organization's SaaS environment, making the supply chain more complex. With hundreds of interconnected SaaS applications, a vulnerability in one can affect the entire supply chain. This breach underscores the need for quick detection and response. Regulations like NY-DFS now mandate CISOs to report incidents within their supply chains within 72 hours.
Combating Supply Chain Vulnerabilities with Automated SSPM
In 2024, CISOs and their teams must have access to rapid threat intelligence alerts. This ensures they are well-informed about security incidents in their SaaS supply chain, enabling fast responses to minimize potential harm. Preventative measures like effective Third-Party Risk Management (TPRM) are crucial for assessing the risks associated with each application. As SaaS security threats continue, including both familiar and emerging ones, effective risk management requires prioritizing threat monitoring and utilizing a Secure SaaS Security Posture Management (SSPM) solution.
Threat Prediction 3: Credential Access
Cyberattack on a Major Healthcare Provider
In February 2024, a major healthcare provider fell victim to a cyberattack in which investigators believe attackers used stolen login credentials to access a server. One key takeaway is that the combination of Multi-Factor Authentication (MFA) being absent and accompanied by a stolen token allowed unauthorized access.
Why This Matters
In SaaS security, the abuse of compromised credentials is not a new trend. According to a recent report, an astonishing average of 4,000 blocked password attacks occurred per second over the past year. Despite the rise of more sophisticated attack methods, threat actors often exploit the simplicity and effectiveness of using stolen login information. Implementing stringent access controls, regular reviews, and audits are essential to detect and address vulnerabilities. This ensures that only authorized individuals have access to relevant information, minimizing the risk of unauthorized access.
Combating Credential Attacks with Automated SSPM
To combat credential attacks, organizations need a multi-faceted approach. Security teams should monitor for leaked passwords on the dark web to quickly identify and respond to compromised credentials. Then, implementing phishing-resistant multi-factor authentication (MFA) will add a robust layer of security that prevents unauthorized access even if passwords are stolen. Additionally, security teams should continuously search for abnormal activity within systems to detect and address potential breaches before they cause significant harm.
Threat Prediction 4: MFA Bypassing
New PaaS Tool Bypasses MFA for Gmail and Microsoft 365
A new phishing-as-a-service (PaaS) tool called "Tycoon 2FA" has emerged, which simplifies phishing attacks on Gmail and Microsoft 365 accounts by bypassing multi-factor authentication (MFA). In mid-February 2024, a new version of Tycoon 2FA was released, utilizing the AiTM (Adversary in the Middle) technique to bypass MFA. This exploit involves the attacker's server hosting a phishing webpage, intercepting the victim's inputs, and relaying them to the legitimate service to prompt the MFA request. The Tycoon 2FA phishing page then relays the user inputs to the legitimate Microsoft authentication API, redirecting the user to a legitimate URL with a "not found" webpage.
Why This Matters
Many organizations neglect MFA entirely, leaving them vulnerable to potential breaches. In our research, 13% of the organizations did not implement MFA on any of their users. This absence of authentication protection can be exploited by unauthorized individuals to access sensitive data or resources. Implementing MFA effectively strengthens defenses against unauthorized access and SaaS attacks, making it the optimal solution against credential-stuffing attacks.
Combating MFA Bypassing with Automated SSPM
Automated SSPM solutions continuously verify MFA configurations and monitor for any signs of bypass attempts. By automating these checks, organizations can ensure that MFA is properly implemented and functioning effectively, thereby preventing sophisticated attacks that aim to bypass MFA protections. Automation ensures that MFA settings are always up-to-date and correctly applied across the organization. It's advisable to use multiple identification forms and multi-step login processes, such as multiple passwords and additional verification steps.
Predicted Threat 5: Interconnected Threats
Unauthorized Access Incident
On May 11, 2024, a financial technology firm experienced unauthorized access to its user space on a third-party SaaS code repository platform. The company quickly addressed the issue, emphasizing that no client information was stored on the repository. However, during their investigation, the firm discovered that a credential from their user space was stolen and used to access their production environment. This transition from the third-party SaaS platform to the company's infrastructure allowed the attacker to gain access to client data stored in the production environment.
Why This Matters
The rise in cross-domain attacks underscores the increasing sophistication of cyber threats, affecting on-prem, cloud, and SaaS environments alike. To understand this threat, we need to consider the perspective of threat actors who exploit any available opportunity to access a victim's assets, irrespective of the domain. While these domains are typically viewed as separate attack surfaces, attackers see them as interconnected components of a single target.
Combating Cross-Domain Attacks with Automated SSPM
SSPM tools provide a holistic view of an organization's security posture. By continuously monitoring and protecting the SaaS domain, threats can be limited and contained. Also, by automating threat detection and response, organizations can quickly isolate and mitigate threats.
The Importance of Speed and Efficiency in Combatting SaaS Breaches
Automation in SaaS security is indispensable for organizations needing to enhance their security posture and effectively deal with security breaches. SSPM tools streamline critical functions such as threat detection and incident response, enabling security teams to operate with greater efficiency and scalability.
By automating routine tasks, organizations can proactively identify and mitigate security risks, ensuring faster and more effective responses to breaches. Harnessing the power of SSPM automation not only strengthens cyber defenses but also saves valuable time and resources, allowing organizations to address evolving cyber threats with increased precision and speed.