Ransomware Through SaaS: The New Frontier

Ransomware Through SaaS: The New Frontier
Maor Bin
September 20, 2021
share:

It might sound dramatic to call ransomware a “scourge on business,” but the reality is that more companies are impacted every day. Some of these attacks hit the news cycle, but many don’t. As you look to protect yourself against the ever-burgeoning threat landscape, securing your Software-as-a-Service (SaaS) application stack is more important than ever.

The SaaS Ransomware Attack Vector

You love your SaaS apps. They enable your business to support collaboration and offer better customer experiences. Unfortunately, threat actors love your SaaS apps just as much.

SaaS applications transmit and store a lot of sensitive data. Whether it’s your enterprise resource planning (ERP) or customer relationship management (CRM) solution or your organization's user directory and collaboration workspace, you’re putting a lot of sensitive information in the cloud.

And threat actors know this.

Most of the successful attacks on cloud services stem from misconfiguration, mismanagement and mistakes. Despite robust native controls, the configuration vulnerabilities are up to the company’s security team to monitor and protect. (I recount some of the top misconfiguration events where one seemingly innocuous configuration exposed the organization to massive repercussions here.)  

In this blog, I’m going to take you through a SaaS ransomware attack and discuss the 3 steps to protect yourself from being a victim.

Anatomy of an attack

When threat actors decide to target your SaaS applications, they can use more basic to the more sophisticated methods. Similar to what Kevin Mitnick in his RansomCloud video, a traditional line of a business email account attack through a SaaS application follows this pattern:

  • Cybercriminal sends an OAuth application phishing email
  • User clicks on the link
  • User signs into their account
  • Application requests the user to allow access to read email and other functionalities
  • User clicks “accept”
  • This creates an OAuth token which is sent directly to the cybercriminal
  • The OAuth token gives the cybercriminal control over the cloud-based email or drive, etc. (based on the scopes of what access was given.)
  • Cybercriminal uses OAuth to access email or drive, etc. and encrypt it
  • The next time the user signs into their email or drive etc., they will find their info encrypted. The ransomware attack has deployed.
  • The user receives a message that their email has been encrypted and they need to pay to retrieve access.

screenshot taken from Kevin Mitnick's SaaS ransomware attack presentation

This is a specific type of attack through SaaS, however, other malicious attacks through OAuth applications can occur in an organization’s environment.

3 Steps to Mind the SaaS Security Gap

With the multitude of SaaS apps global settings compounded by the amount of users and permissions for each app, it is near impossible to run manual, continuous monitoring and security checks for each and every SaaS in use. To further complicate matters, SaaS owners often do not sit within the security team but in the departments that most utilize the SaaS. This creates a situation where the security team has no visibility or control over the organization’s SaaS estate, leaving the playing field open for infiltration.

1. Monitor for Misconfigurations

The first step to securing your SaaS ecosystem is to look for and remediate any misconfigurations that increase your risk of being the victim of a ransomware attack.

Many organizations don’t regularly review their SaaS configurations. For example, according to our 2021 SaaS Security Survey Report, while most companies are worried about their SaaS application security configurations, less than one third of companies consistently check them.

Among the types of misconfigurations, you should review regularly are:

  • Default configurations - are the default settings adjusted to your policies?
  • Sharing and collaboration settings - who can access or view company information?
  • Multi-channel access - are all the devices with access secure?
  • Credential management - who has permissions for what?

(For more in depth information on important configurations to monitor, check out this blog.)

Another important aspect in misconfiguration monitoring is the dispersal of SaaS responsibility. One of the biggest challenges companies face when trying to secure their SaaS landscape is that the people in charge of security aren’t part of the security team.

According to our 2021 SaaS Security Survey Report, 52% of organizations delegate security setting management to the SaaS application owner. These owners sit outside the security department’s day-to-day activities, meaning that the security team may not know what’s going on.

Your security team should have a single location where everyone can collaborate and maintain governance of the entire SaaS estate. Not only for compliance purposes, but to ensure complete observability and protection for the company’s SaaS security posture.

2. Move from Visibility to Observability

Just because you can see something, doesn’t mean you’re really observing it. If you’ve ever stepped on a LEGO brick left on the floor, you know that someone saw it. However, no one observed it, meaning no one considered that painful middle-of-the-night walk to get a glass of water.

The same is true with SaaS misconfigurations.  Even with the best dashboards, seeing doesn’t equate to  deeply observing and correlating data. You need to really observe the potential security gaps in your SaaS landscape so that you can take meaningful, purposeful action.

3. Prioritize and Automate Remediation

Your team is in a race against cybercriminals, and you want to win - or at least limit the potential damage. The best way to prevent misconfigurations from leading to a ransomware attack vector is to identify and prioritize your remediation strategies.

While all misconfigurations can be a security weakness, not all are the same level of risk. Some of the highest priority remediation configurations to look to correct are:

  • User’s consent to access: non-admin users can approve third-party apps to access data such as user profiles
  • Application registration by users: allow user to register
  • Application inventory: monitor scopes that have write access

(You can read up on other easily missed configurations in this blog.)

With the right automation, protecting yourself against these high-risk vulnerabilities doesn’t need to be burdensome.

Final Thoughts

Ransomware isn’t going anywhere. Even more stressful, cybercriminals work together and have a collective set of resources for trying to find new ways to exploit vulnerabilities.

With Adaptive Shield’s SaaS Security Posture Management (SSPM) platform, you can identify misconfigurations before they allow an attack, and automate the prioritization and remediation processes to prevent any misconfiguration issues.

About the writer

Maor Bin
CEO & Co-Founder
Ransomware Through SaaS: The New Frontier
A former cybersecurity intelligence officer in the IDF, Maor has over 16 years in cybersecurity leadership. In his career, he led SaaS Threat Detection Research at Proofpoint and won the operational excellence award during his IDI service. Maor got his BSc in Computer Science and is CEO and co-founder of Adaptive Shield. Oh and he is a globally-ranked chess player.

Measuring SaaS Security by Business Unit, Subsidiary or Team

In our latest update, we add a new dimension to improve accountability and reporting – the ability to measure SaaS Security posture by business unit, subsidiary, team, or any other bucket of choice 
Read more
Hananel Livneh
July 22, 2021

Detangling a Confusing Threat Detection for SaaS Landscape

Detection and response sit at the heart of any well-thought-out cybersecurity program. However, for all the benefits of detection and response, there is still some confusion in the marketplace about these tools. This article aims to detangle the confusing threat detection SaaS landscape.
Read more
Arye Zacks
December 28, 2022

How to Protect Patients and Their Privacy in Your SaaS Apps

The healthcare industry is under a constant barrage of cyberattacks and has traditionally been one of the most frequently targeted industries. While the adoption of SaaS apps has led to better collaboration among medical professionals and improved patient outcomes, medical facilities must adhere to strict industry standards to ensure the highest level of security and compliance for healthcare data.
Read more
Arye Zacks
December 28, 2022
request a demo
Solution
By Use CaseWhat is SSPMGet in touch
Platform
Sign inFeatures  & FunctionalitiesIntegrations
Resources
LibraryBlog
Partners
Business PartnersTech Partners
Company
AboutNewsEventsCareers
2024 Adaptive Shield All rights reserved
Trust Center ›Privacy Policy ›Terms ›
GDPR Compliant
ISO 27001 Compliant
ISO 27001 Certified
ISO 27701 Certified
SOC 2 Compliant
Cyber GRX