Top 5 Attacks in Commonly Used SaaS Apps

Adaptive Shield Team

Remember when cybersecurity was mostly about firewalls, VPNs, and antivirus software? Those days are long gone. Now one of the most prevalent places for exploitation has to do with misconfigurations found in an organization’s SaaS apps.

If you are in IT, you might have come across the following scenario: an admin of a business-critical SaaS app adds every user as an admin. Or they have used their admin privileges to turn off MFA because it’s too annoying and disrupts the workflow.

A recently published report found that 68% of enterprises consider cloud platform misconfigurations as the biggest threat to their cloud security. Another research from Cloud Security Alliance, 2021 State of Cloud Security, indicates that security misconfigurations are the main contributor for 22% of security incidents, second only to cloud provider issues (26%).

The list of possible misconfigurations, whether intentional or by mistake, can be endless. And unfortunately, these SaaS misconfigurations can lead to severe repercussions.

Lessons Learnt from Real-Life SaaS Misconfigurations

There are some exploited misconfigurations that are being used time and time again. Here are five examples from real-world attacks.

1.  Salesforce error grants users full ‘write’ access

In May 2019, Salesforce self-sabotaged its security parameters by breaching itself. A scheduled update on Salesforce’s development systems disrupted the access permissions settings, giving employees of the organizations using the platform full access to Salesforce’s data.

The error not only allowed external users access to view or read sensitive information but also to ‘write’ permissions.

Salesforce fixed the error in access security controls but at the same time, accidentally created one of the biggest outages in the company’s history to take down access to 100 cloud instances.

2. Attackers Target Citrix with Insecure Legacy Protocols

60% of Microsoft Office 365 and G Suite tenants have been targeted with IMAP-based password-spraying attacks, according to researchers. The attackers target the legacy and insecure IMAP protocol to bypass MFA settings and compromise cloud-based accounts providing access to SaaS apps. It’s reported that Citrix was one such target in an ironic twist as they specialize in federated architectures, yet the FBI suggested that the attackers gained a foothold with password spraying and then bypassed additional layers of security.

The use of legacy protocols such as POP or IMAP, make it difficult for system administrators to set up and activate MFA. “Attacks against Office 365 and G Suite cloud accounts using IMAP are difficult to protect against with multi-factor authentication, where service accounts and shared mailboxes are notably vulnerable, researchers say.

3. Jira authorization misconfiguration exposes Fortune 500 companies

Security researcher Avinash Jain found a single security misconfiguration in the JIRA collaboration tool that opened up many Fortune 500 companies as well as NASA to a potential leak of corporate data and personal information. This information disclosure was the result of an authorization misconfiguration in Jira’s Global Permissions settings.

When the filters and dashboards for the projects/issues are created in JIRA, then by default the visibility was set to “All users” and “Everyone” respectively. Instead of sharing roadmap tasks etc. internally, it shared them publicly.

4. Misconfigured Box Accounts Open a Slew of Pandora’s Boxes

In March 2019, several companies unwittingly exposed sensitive corporate and customer data when their employees shared public links to files in their Box enterprise storage accounts.

Although data stored in Box enterprise accounts are private by default, users can share files and folders with anyone — if this user role configuration is enabled. The public sharing allows the any employee in the company to make the company’s data publicly accessible with a single click.

Security firm Adversis found that others outside an enterprise network can also discover these links. According to Adversis, Box admins should have reconfigured the default access for shared links to “people in your company” to reduce accidental exposure of data to the public.

This misconfiguration allowed Box users to expose a multitude of private information like passport photos, bank account and Social Security numbers, passwords, employee lists, financial data, invoices, and receipts.

5. Thousands of Private Zoom Videos Exposed Online

There is a global setting in Zoom for the company to configure what happens when meetings are recorded. Can they be downloaded locally or only in the company’s protected cloud? Do they need a password or can they be saves without?

According to former NSA researcher Patrick Jackson, thousands of private Zoom recordings were exposed online when many recordings stored in Amazon Web Services (AWS) S3 buckets without passwords were found. The private videos ranged from elementary school remote classes, featuring the faces of students, to private therapy sessions, and business meetings including financial details.

The global setting to enforce password protection for recordings was critical in keeping these videos safer.

How to Avoid Falling Prey to SaaS Misconfigurations?

The absence of strong SaaS specific security measures allows attackers to take advantage — companies need deep visibility into their SaaS estate to monitor all settings, user permissions and configurations.

There are many solutions in cloud security, but the new category of SaaS Security Posture Management (SSPM), can assess a company’s SaaS security posture in a customized and automated manner that is tailored to the specifications of each application and aligns with company policy. And it’s not a one-time assessment; it is a continuous process that monitors and reinforces the company’s SaaS security.

The right SSPM solution, like Adaptive Shield, provides deep visibility and remediation for potential vulnerabilities in a company’s SaaS security posture, from misconfigurations and misappropriated privileges to suspicious SaaS usage. SSPMs are built to streamline and improve the security team’s efficiency, reducing their workload and stress while increasing protection for the company against any potential exposure or breach..

Now is the time to gauge your current SaaS security strength and to find out how to fortify your enterprise’s SaaS security posture.

This was first published in InfoSecurity Magazine on May 20, 2021.

About the writer

Adaptive Shield Team

Businesses today run nearly every facet of their operations using a wide array of interconnected SaaS apps. Adaptive Shield’s team is here to keep you informed as well as help you secure your SaaS estate.