Security Experts:

It's Not Just an Unusual Login: Why Pay Attention to Threats Facing SaaS and Cloud?

There is a whole category of cyber-attacks largely untouched by the media. With breaking threat discoveries usually focused on targeted spear-phishing campaigns or widespread ransomware, cyber-attacks targeting cloud and SaaS are often overlooked.

Many of these attacks can be traced back to two things – compromised credentials or misconfigurations – which simply aren’t as exciting as salacious dirt on the rich and famous or an AI-created voicemail phishing attack. Although they are often overlooked, they are not any less harmful than the other more well-discussed attack vectors, as evidenced by the Capital One data breach. More attention should be dedicated to strange login times and locations so that cloud and SaaS account compromises do not result in company-wide damage. 

As we embrace the new norm of working from home, the dependence on services in the Cloud for collaboration and information sharing has increased drastically. Employees are storing sensitive files in locations and services we had not considered as recently as a few months ago. New regulations and guidance will likely be drafted to ensure the safe management and handling of certain types of data. The increased usage of these new technologies will almost certainly mean an increase or shift in threat vectors used by attackers.

Throughout my career, I have seen adversaries target organizations in a number of creative and novel ways. Although cloud and SaaS campaigns don’t make headlines, security experts are already aware of the dangers these threats pose to their organizations. Security teams are most likely aware of the possibility of these threats.  However, the initial unusual activity that may lead to greater harm can have a tendency to be ignored because it happens so often. 

Three examples that I’ve recently seen show the significance and consequences of these attacks. As you read through the following threat stories, you will notice that although the attacks all took on a different shape and the attackers had different goals, each one began with a single anomalous action that may have easily gone unnoticed.

1. Phishing and SaaS Attacks Collide 

A recent SaaS threat began simply with an unusual login, with both the time and location of the login abnormal for both the business and the employee. An employee’s credentials were used to access their Microsoft Office 365 account from Bulgaria, far from the user’s normal login location in the United States. The unusual login location was a low-level anomaly and not necessarily indicative of malicious activity, since employees might change locations. Since the unusual login location was accompanied by an unusual login time, the actions triggered a deeper analysis from my team. After logging in, the attacker tried to gain insights about payment information and credit card details, most likely with the intention of changing the payroll details to their own bank account. In this instance, a successful spear-phishing attack led to a SaaS compromise, which could have initiated a larger data breach or could have continued on from there to allow the attacker to control the entire network. 

2. Data Dump Leads to Compromise 

Another recent SaaS threat started in a similar way – the unusual behavior started with a suspicious login time and place. In this example, however, the attacker did not seem financially motivated, or motivated by anything specific at all. The unauthorized user was able to hijack an employee’s Box account and sift through private company information until they found something of interest: a password sheet containing unencrypted passwords. This could have been leveraged to work their way through many other Box accounts until they found more sensitive information, such as financial details or intellectual property, if they had been able to download the document before being caught.

Unlike the first threat story I shared, there were no indicators during this incident that the attacker used a spear-phishing email, so there was no evidence of how the attacker obtained the employee’s password or gained access to the Box account. In this case, the attacker presumably found or purchased the user’s credentials online. Given the large dumps of usernames and passwords happening frequently on the Dark Web post-data breach, attackers don’t need to launch successful phishing attacks to compromise credentials but can instead leverage passwords purchased on the Dark Web to access corporate SaaS accounts. These past breaches in turn breed more successful attacks. 

3. Misconfiguration Mishap

In addition to compromised credentials, another common problem behind many cloud-based threats is misconfiguration. A recent example occurred when a financial services organization was configuring its cloud controls. The DevOps team left one server exposed to the Internet when it was meant to be behind a firewall. This could have been because they were rushing, because they were new to the configuration process, or because they were unfamiliar with this specific Cloud infrastructure. The misconfiguration went unnoticed by the security team and the exposed server was discovered by cyber-criminals scanning the Internet. The amount of incoming connection attempts to this server from a wide range of rare external sources alerted our team to this highly unusual and suspicious activity. 

What all three of these threats have in common is that they each began with a single unusual login. They were also detected early enough for the businesses to take action before damage was done. The analysts initially noticed an unusual login took place because security tools in place were searching for unusual behavior – such as a strange login location and time – rather than relying on rules and signatures or pre-defining bad. While unusual logins can happen quite frequently and for various reasons, the technology in place and analysts leveraging it continued to closely monitor activity connected to the devices and users in question. They quickly saw continued anomalous activity, indicting these were not just unusual logins but potentially serious emerging incidents. 

Weather the Storm

While not all attacks will start with an unusual login, they cannot be overlooked. In addition to focusing on these and other unusual activities, businesses’ approach to cloud and SaaS security must include a few additional key elements to ensure attackers are unable to access private company information or profit at a business’s expense. 

Multi-factor authentication can help ensure that stolen credentials are not enough for un-authenticated users to log in. Overuse of the same password is also dangerous – passwords that may have been bought and sold on the DarkWeb during a breach years ago could lead to present day threats. Equally as important as protecting user logins is ensuring proper configuration. Given the rapid transition to work from home during the pandemic and pressure on IT teams to get systems up and running, misconfigurations may have been more likely. When misconfigurations occur, attackers are waiting in the wings to take advantage.

The rising reliance on cloud and SaaS has almost undoubtedly led to a rise in interest from attackers, now reevaluating the technology as potential threat vectors enabling them to access confidential information or use it as an inroad into companies’ infrastructure. While we have yet to see a major Cloud or SaaS attack make headlines since the pandemic began, when it comes to cyber-attacks it is “not a matter of if, but when.” Businesses can avoid finding themselves featured in the headlines – and more critically keep their data and processes secure – by emphasizing visibility, early threat detection, and focusing on understanding ‘normal’ activity rather than ‘bad.’

view counter
Justin Fier is the Director for Cyber Intelligence & Analytics at Darktrace, based in Washington D.C. With over 10 years of experience in cyber defense, Fier has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Fier is a highly-skilled technical officer, and a specialist in cyber operations across both offensive and defensive arenas.