SaaS Attacks: Lessons from Real-Life Misconfiguration Exploits

Maor Bin, CEO & Co-Founder

It’s unfortunate, but true: SaaS attacks continue to increase. You can’t get around it, COVID-19 accelerated the already exploding SaaS market and caused industries not planning on making a switch to embrace SaaS.

With SaaS apps becoming the default system of record for organizations, it has left many struggling to secure their company’s SaaS estate. CISOs and security professionals work to limit this burgeoning threat landscape, however, it’s a work in progress.  

One slight misconfiguration or unsafeguarded user permission presents a possible attack vector. The thing is that most organizations now have hundreds of SaaS apps. This amounts to hundreds of global settings as well as thousands to tens of thousands of user roles and permissions to configure, monitor and consistently update. It’s no wonder there are so many exploitable misconfigurations with the sheer volume of settings and configurations.  

There’s a few notable exploited misconfigurations, from default built-in file sharing, and lack of password enforcement, albeit no password to multi-factor authentication (MFA), to the risks of legacy protocols and OAuth apps, that can bring a little clarity to understanding the complex landscape that is a company’s SaaS security posture.

Default authorization misconfiguration exposes NASA, among many others

Security researcher Avinash Jain found a single security misconfiguration in the JIRA collaboration tool that opened up many Fortune 500 companies as well as NASA to a potential leak of corporate data and personal information. This information disclosure was the result of an authorization misconfiguration in Jira’s Global Permissions settings.

When the filters and dashboards for the projects/issues are created in JIRA, then by default the visibility was set to “All users” and “Everyone” respectively. Instead of sharing roadmap tasks etc. internally, it shared them publicly.

Lesson 1: Check file sharing configurations in every SaaS to ensure confidential information is not shared publicly.

Attackers target Citrix with insecure legacy protocols

60% of Microsoft Office 365 and G Suite tenants have been targeted with IMAP-based password-spraying attacks, according to researchers. The attackers target the legacy and insecure IMAP protocol to bypass MFA settings and compromise cloud-based accounts providing access to SaaS apps. It’s reported that Citrix was one such target in an ironic twist as they specialize in federated architectures, yet the FBI suggested that the attackers gained a foothold with password spraying and then bypassed additional layers of security.

The use of legacy protocols such as POP or IMAP, make it difficult for system administrators to set up and activate MFA. “Attacks against Office 365 and G Suite cloud accounts using IMAP are difficult to protect against with multi-factor authentication, where service accounts and shared mailboxes are notably vulnerable, researchers assert.

Lesson 2: Ensure MFA is activated for all users in all apps, even for super admins.

OAuth enables consent phishing in O365

Also known as consent phishing, OAuth is highly interesting for bad actors as it is an extremely common, almost inherent action taken by users — and prone to implementation mistakes. Once victims click on the deceptive OAuth app, they allow installation of any number of malicious activities.  

Microsoft warns users to be on the lookout for deceptive OAuth apps to avoid malicious attacks, like many remote workers using O365 experienced in September and December of 2020.  

Lesson 3: Implement a security protocol to onboard new apps and  limit user permissions in all apps.

What can we do to prevent SaaS misconfigurations?

There is a way to protect users from deceptive OAuth apps, misconfigurations and misappropriated user permissions that doesn’t involve implementing each of these lessons one at a time (among  others). An emerging category named by Gartner, SaaS Security Posture Management (SSPM) refers to solutions that take an automated approach to tracking, and even remediating, the exploitable misconfigurations in organizations’ SaaS apps like Microsoft’s 365, Google Workspace (formerly Google Apps), Salesforce, Slack, Zoom, Box, Dropbox, among others.

“Over the years, the cybersecurity industry has tried to address these misconfigurations and vulnerabilities with varying degrees of success,” remarks Maor Bin, CEO of Adaptive Shield, the market-leading SSPM solution. “For example, Cloud Access Security Brokers (CASBs) are event-driven. When it comes to SaaS apps they are reactive, focusing on the detection of breaches once they have occurred. This doesn’t help in preventing the SaaS misconfiguration from causing the breach in the first place. There are also Cloud Security Posture Management tools (CSPM), yet they mostly address IaaS and PaaS security use cases. What’s needed are strong and effective controls dedicated to monitor and remediate SaaS misconfigurations.”

SSPM solutions, like Adaptive Shield, are built to help CISOs and security professionals handle the profound change to an expansive SaaS ecosystem and prevent misconfiguration vulnerabilities from leading to a leak or breach.

This was first published in Threatpost on April 29, 2021.

About the writer

Maor Bin, CEO & Co-Founder

A former cybersecurity intelligence officer in the IDF, Maor has over 20 years in cybersecurity leadership. In his career, he led SaaS Threat Detection Research at Proofpoint and won the operational excellence award during his IDI service. Maor got his BSc in Computer Science and is CEO and co-founder of Adaptive Shield. Oh and he is a globally-ranked chess player.