Ransomware Through SaaS: The New Frontier

Maor Bin
CEO & Co-Founder

It might sound dramatic to call ransomware a “scourge on business,” but the reality is that more companies are impacted every day. Some of these attacks hit the news cycle, but many don’t. As you look to protect yourself against the ever-burgeoning threat landscape, securing your Software-as-a-Service (SaaS) application stack is more important than ever. 

The SaaS Ransomware Attack Vector

You love your SaaS apps. They enable your business to support collaboration and offer better customer experiences. Unfortunately, threat actors love your SaaS apps just as much. 

SaaS applications transmit and store a lot of sensitive data. Whether it’s your enterprise resource planning (ERP) or customer relationship management (CRM) solution or your organization's user directory and collaboration workspace, you’re putting a lot of sensitive information in the cloud.

And threat actors know this. 

Most of the successful attacks on cloud services stem from misconfiguration, mismanagement and mistakes. Despite robust native controls, the configuration vulnerabilities are up to the company’s security team to monitor and protect. (I recount some of the top misconfiguration events where one seemingly innocuous configuration exposed the organization to massive repercussions here.)   

In this blog, I’m going to take you through a SaaS ransomware attack and discuss the 3 steps to protect yourself from being a victim.

Anatomy of an attack

When threat actors decide to target your SaaS applications, they can use more basic to the more sophisticated methods. Similar to what Kevin Mitnick in his RansomCloud video, a traditional line of a business email account attack through a SaaS application follows this pattern:

  • Cybercriminal sends an OAuth application phishing email
  • User clicks on the link 
  • User signs into their account
  • Application requests the user to allow access to read email and other functionalities
  • User clicks “accept”
  • This creates an OAuth token which is sent directly to the cybercriminal
  • The OAuth token gives the cybercriminal control over the cloud-based email or drive, etc. (based on the scopes of what access was given.)
  • Cybercriminal uses OAuth to access email or drive, etc. and encrypt it
  • The next time the user signs into their email or drive etc., they will find their info encrypted. The ransomware attack has deployed.
  • The user receives a message that their email has been encrypted and they need to pay to retrieve access. 

screenshot taken from Kevin Mitnick's SaaS ransomware attack presentation

This is a specific type of attack through SaaS, however, other malicious attacks through OAuth applications can occur in an organization’s environment. 

3 Steps to Mind the SaaS Security Gap

With the multitude of SaaS apps global settings compounded by the amount of users and permissions for each app, it is near impossible to run manual, continuous monitoring and security checks for each and every SaaS in use. To further complicate matters, SaaS owners often do not sit within the security team but in the departments that most utilize the SaaS. This creates a situation where the security team has no visibility or control over the organization’s SaaS estate, leaving the playing field open for infiltration.

1. Monitor for Misconfigurations

The first step to securing your SaaS ecosystem is to look for and remediate any misconfigurations that increase your risk of being the victim of a ransomware attack. 

Many organizations don’t regularly review their SaaS configurations. For example, according to our 2021 SaaS Security Survey Report, while most companies are worried about their SaaS application security configurations, less than one third of companies consistently check them. 

Among the types of misconfigurations, you should review regularly are: 

  • Default configurations - are the default settings adjusted to your policies?
  • Sharing and collaboration settings - who can access or view company information?
  • Multi-channel access - are all the devices with access secure?
  • Credential management - who has permissions for what?

(For more in depth information on important configurations to monitor, check out this blog.) 

Another important aspect in misconfiguration monitoring is the dispersal of SaaS responsibility. One of the biggest challenges companies face when trying to secure their SaaS landscape is that the people in charge of security aren’t part of the security team. 

According to our 2021 SaaS Security Survey Report, 52% of organizations delegate security setting management to the SaaS application owner. These owners sit outside the security department’s day-to-day activities, meaning that the security team may not know what’s going on. 

Your security team should have a single location where everyone can collaborate and maintain governance of the entire SaaS estate. Not only for compliance purposes, but to ensure complete observability and protection for the company’s SaaS security posture. 

2. Move from Visibility to Observability

Just because you can see something, doesn’t mean you’re really observing it. If you’ve ever stepped on a LEGO brick left on the floor, you know that someone saw it. However, no one observed it, meaning no one considered that painful middle-of-the-night walk to get a glass of water.

The same is true with SaaS misconfigurations.  Even with the best dashboards, seeing doesn’t equate to  deeply observing and correlating data. You need to really observe the potential security gaps in your SaaS landscape so that you can take meaningful, purposeful action. 

3. Prioritize and Automate Remediation

Your team is in a race against cybercriminals, and you want to win - or at least limit the potential damage. The best way to prevent misconfigurations from leading to a ransomware attack vector is to identify and prioritize your remediation strategies. 

While all misconfigurations can be a security weakness, not all are the same level of risk. Some of the highest priority remediation configurations to look to correct are:

  • User’s consent to access: non-admin users can approve third-party apps to access data such as user profiles
  • Application registration by users: allow user to register
  • Application inventory: monitor scopes that have write access 

(You can read up on other easily missed configurations in this blog.) 

With the right automation, protecting yourself against these high-risk vulnerabilities doesn’t need to be burdensome. 

Final Thoughts

Ransomware isn’t going anywhere. Even more stressful, cybercriminals work together and have a collective set of resources for trying to find new ways to exploit vulnerabilities. 

With Adaptive Shield’s SaaS Security Posture Management (SSPM) platform, you can identify misconfigurations before they allow an attack, and automate the prioritization and remediation processes to prevent any misconfiguration issues. 

Back to Resources

Start Making the Most of Your SaaS Security

See it in action

Ransomware Through SaaS: The New Frontier

It might sound dramatic to call ransomware a “scourge on business,” but the reality is that more companies are impacted every day. Some of these attacks hit the news cycle, but many don’t. As you look to protect yourself against the ever-burgeoning threat landscape, securing your Software-as-a-Service (SaaS) application stack is more important than ever. 

The SaaS Ransomware Attack Vector

You love your SaaS apps. They enable your business to support collaboration and offer better customer experiences. Unfortunately, threat actors love your SaaS apps just as much. 

SaaS applications transmit and store a lot of sensitive data. Whether it’s your enterprise resource planning (ERP) or customer relationship management (CRM) solution or your organization's user directory and collaboration workspace, you’re putting a lot of sensitive information in the cloud.

And threat actors know this. 

Most of the successful attacks on cloud services stem from misconfiguration, mismanagement and mistakes. Despite robust native controls, the configuration vulnerabilities are up to the company’s security team to monitor and protect. (I recount some of the top misconfiguration events where one seemingly innocuous configuration exposed the organization to massive repercussions here.)   

In this blog, I’m going to take you through a SaaS ransomware attack and discuss the 3 steps to protect yourself from being a victim.

Anatomy of an attack

When threat actors decide to target your SaaS applications, they can use more basic to the more sophisticated methods. Similar to what Kevin Mitnick in his RansomCloud video, a traditional line of a business email account attack through a SaaS application follows this pattern:

  • Cybercriminal sends an OAuth application phishing email
  • User clicks on the link 
  • User signs into their account
  • Application requests the user to allow access to read email and other functionalities
  • User clicks “accept”
  • This creates an OAuth token which is sent directly to the cybercriminal
  • The OAuth token gives the cybercriminal control over the cloud-based email or drive, etc. (based on the scopes of what access was given.)
  • Cybercriminal uses OAuth to access email or drive, etc. and encrypt it
  • The next time the user signs into their email or drive etc., they will find their info encrypted. The ransomware attack has deployed.
  • The user receives a message that their email has been encrypted and they need to pay to retrieve access. 

screenshot taken from Kevin Mitnick's SaaS ransomware attack presentation

This is a specific type of attack through SaaS, however, other malicious attacks through OAuth applications can occur in an organization’s environment. 

3 Steps to Mind the SaaS Security Gap

With the multitude of SaaS apps global settings compounded by the amount of users and permissions for each app, it is near impossible to run manual, continuous monitoring and security checks for each and every SaaS in use. To further complicate matters, SaaS owners often do not sit within the security team but in the departments that most utilize the SaaS. This creates a situation where the security team has no visibility or control over the organization’s SaaS estate, leaving the playing field open for infiltration.

1. Monitor for Misconfigurations

The first step to securing your SaaS ecosystem is to look for and remediate any misconfigurations that increase your risk of being the victim of a ransomware attack. 

Many organizations don’t regularly review their SaaS configurations. For example, according to our 2021 SaaS Security Survey Report, while most companies are worried about their SaaS application security configurations, less than one third of companies consistently check them. 

Among the types of misconfigurations, you should review regularly are: 

  • Default configurations - are the default settings adjusted to your policies?
  • Sharing and collaboration settings - who can access or view company information?
  • Multi-channel access - are all the devices with access secure?
  • Credential management - who has permissions for what?

(For more in depth information on important configurations to monitor, check out this blog.) 

Another important aspect in misconfiguration monitoring is the dispersal of SaaS responsibility. One of the biggest challenges companies face when trying to secure their SaaS landscape is that the people in charge of security aren’t part of the security team. 

According to our 2021 SaaS Security Survey Report, 52% of organizations delegate security setting management to the SaaS application owner. These owners sit outside the security department’s day-to-day activities, meaning that the security team may not know what’s going on. 

Your security team should have a single location where everyone can collaborate and maintain governance of the entire SaaS estate. Not only for compliance purposes, but to ensure complete observability and protection for the company’s SaaS security posture. 

2. Move from Visibility to Observability

Just because you can see something, doesn’t mean you’re really observing it. If you’ve ever stepped on a LEGO brick left on the floor, you know that someone saw it. However, no one observed it, meaning no one considered that painful middle-of-the-night walk to get a glass of water.

The same is true with SaaS misconfigurations.  Even with the best dashboards, seeing doesn’t equate to  deeply observing and correlating data. You need to really observe the potential security gaps in your SaaS landscape so that you can take meaningful, purposeful action. 

3. Prioritize and Automate Remediation

Your team is in a race against cybercriminals, and you want to win - or at least limit the potential damage. The best way to prevent misconfigurations from leading to a ransomware attack vector is to identify and prioritize your remediation strategies. 

While all misconfigurations can be a security weakness, not all are the same level of risk. Some of the highest priority remediation configurations to look to correct are:

  • User’s consent to access: non-admin users can approve third-party apps to access data such as user profiles
  • Application registration by users: allow user to register
  • Application inventory: monitor scopes that have write access 

(You can read up on other easily missed configurations in this blog.) 

With the right automation, protecting yourself against these high-risk vulnerabilities doesn’t need to be burdensome. 

Final Thoughts

Ransomware isn’t going anywhere. Even more stressful, cybercriminals work together and have a collective set of resources for trying to find new ways to exploit vulnerabilities. 

With Adaptive Shield’s SaaS Security Posture Management (SSPM) platform, you can identify misconfigurations before they allow an attack, and automate the prioritization and remediation processes to prevent any misconfiguration issues. 

Get started today!

Start Making the Most of Your SaaS Security

See it in action