The surge in Software as a Service (SaaS) breaches by 300% within the 12-month period from September 2023 has raised concerns about the effectiveness of traditional security measures in preventing such attacks. According to a recent report by Obsidian Security, cybercriminal groups and nation state actors are increasingly targeting SaaS platforms to steal sensitive data. This trend is concerning as organizations are now heavily reliant on SaaS applications for critical operations, making them vulnerable to various cyber threats.
These breaches are driven by motives such as financial gain, espionage, and strategic disruption. One notable incident involved cybercriminals compromising the cloud data warehousing platform Snowflake, impacting over 160 companies, including telecoms giant AT&T, and resulting in a $2.5 million extortion campaign. The healthcare sector, state and local government, and financial services were among the sectors most affected by SaaS breaches during this period.
The report highlighted the failure of traditional security measures to prevent SaaS attacks, even in organizations with robust security protocols. The shift towards using SaaS for data storage has made SaaS accounts a critical target for threat actors. The interconnected nature of SaaS platforms allows attackers to easily move across multiple applications with a single compromised identity.
In one instance, the lack of multi-factor authentication (MFA) in the Snowflake incident allowed attackers to gain access using stolen credentials from a previous campaign. The report revealed that 85% of SaaS breaches began with a compromised identity, with Adversary-in-the-middle (AiTM) attacks accounting for 39% of incidents. Other credential compromise techniques such as self-service password reset, single-factor password guessing, and push fatigue were also commonly used by attackers.
Interestingly, MFA proved ineffective in 84% of the incidents analyzed, with weak implementation and bypass techniques like AiTM cited as contributing factors. Traditional security tools designed for on-premises systems struggle to protect the complex web of SaaS applications, identities, and integrations, making organizations vulnerable to such attacks.
Furthermore, the rapid nature of SaaS breaches was highlighted in the report, with attackers taking just nine minutes in one case to access and exfiltrate data. This speed and efficiency enable attackers to bypass network defenses and directly target sensitive data, making it crucial for organizations to enhance their security measures.
Looking ahead, the researchers at Obsidian Security anticipate a continued rise in SaaS platform targeting in 2025. They recommend implementing strategies such as gaining a comprehensive view of all SaaS applications, implementing least privilege access controls, and establishing ongoing monitoring for SaaS environments to mitigate these attacks effectively. By proactively addressing vulnerabilities and threats in SaaS platforms, organizations can enhance their security posture and protect against evolving cyber threats.
Overall, the increase in SaaS breaches underscores the need for organizations to adapt and strengthen their security measures to defend against sophisticated cyber threats targeting SaaS platforms.