LAS VEGAS — BLACK HAT USA 2024 — AppOmni analyzed 230 billion SaaS audit log events from its own telemetry to examine the behavior of bad actors that gain access to SaaS apps.
AppOmni’s researchers analyzed an entire dataset drawn from more than 20 different SaaS platforms, looking for alert sequences that would be less apparent to organizations able to examine a single platform’s logs. They used, for example, simple Markov Chains to connect alerts related to each of the 300,000 unique IP addresses in the dataset to discover anomalous IPs.
Perhaps the biggest single revelation from the analysis is that the MITRE ATT&CK kill chain is barely relevant – or at least heavily abbreviated – for most SaaS security incidents. Many attacks are simple smash and grab incursions. “They log in, download stuff, and are gone,” explained Brandon Levene, principal product manager at AppOmni. “Takes at most 30 minutes to an hour.”
There is no need for the attacker to establish persistence, or communication with a C&C, or even engage in the traditional form of lateral movement. They come, they steal, and they go. The basis for this approach is the growing use of legitimate credentials to gain access, followed by use, or perhaps misuse, of the application’s default behaviors.
Once in, the attacker just grabs what blobs are around and exfiltrates them to a different cloud service. “We’re also seeing a lot of direct downloads as well. We see email forwarding rules get set up, or email exfiltration by several threat actors or threat actor clusters that we’ve identified,” he said.
“Most SaaS apps,” continued Levene, “are basically web apps with a database behind them. Salesforce is a CRM. Think also of Google Workspace. Once you’re logged in, you can click and download an entire folder or an entire drive as a zip file.” It is only exfiltration if the intent is bad – but the app doesn’t understand intent and assumes anybody legitimately logged in is non-malicious.
This form of smash and grab raiding is made possible by the criminals’ ready access to legitimate credentials for entry and dictates the most common form of loss: indiscriminate blob files.
Threat actors are just buying credentials from infostealers or phishing providers that grab the credentials and sell them onward. There’s a lot of credential stuffing and password spraying attacks against SaaS apps. “Most of the time, threat actors are trying to enter through the front door, and this is extremely effective,” said Levene. “It’s very high ROI.”
Noticeably, the researchers have seen a substantial portion of such attacks against Microsoft 365 coming directly from two large autonomous systems: AS 4134 (China Net) and AS 4837 (China Unicom). Levene draws no specific conclusions on this, but merely comments, “It’s interesting to see outsized attempts to log into US organizations coming from two very large Chinese agents.”
Basically, it is just an extension of what’s been happening for years. “The same brute forcing attempts that we see against any web server or website on the internet now includes SaaS applications as well – which is a fairly new realization for most people.”
Smash and grab is, of course, not the only threat activity found in the AppOmni analysis. There are clusters of activity that are more specialized. One cluster is financially motivated. For another, the motivation is not clear, but the methodology is to use SaaS to reconnoiter and then pivot into the customer’s network.
The question posed by all this threat activity discovered in the SaaS logs is simply how to prevent attacker success. AppOmni offers its own solution (if it can detect the activity, so in theory, can the defenders); but beyond this the solution is to prevent the easy front door access that is used. It is unlikely that infostealers and phishing can be eliminated, so the focus should be on preventing the stolen credentials from being effective.
That requires a full zero trust policy with effective MFA. The problem here is that many companies claim to have zero trust implemented, but few companies have effective zero trust. “Zero trust should be a complete overarching philosophy on how to treat security, not a mish mash of simple protocols that don’t solve the whole problem. And this must include SaaS apps,” said Levene.
Related: AWS Patches Vulnerabilities Potentially Allowing Account Takeovers
Related: Over 40,000 Internet-Exposed ICS Devices Found in US: Censys
Related: GhostWrite Vulnerability Facilitates Attacks on Devices With RISC-V CPU
Related: Windows Update Flaws Allow Undetectable Downgrade Attacks
Related: Why Hackers Love Logs