“SaaS Ransomware: A New Dimension of Cyber Threats as Sharepoint Online Hit Without Compromised Endpoint”

A cybersecurity firm, Obsidian, has reported a successful ransomware attack against Sharepoint Online (Microsoft 365) via a Microsoft Global SaaS admin account, rather than the more usual route of a compromised endpoint. According to the report, the victim employed the Obsidian product and research team to determine the finer points of the attack. In its blog account of the incident, Obsidian did not disclose the victim, but believes the attacker was the group known as 0mega. The attack involved only the theft of files rather than theft followed by encryption. After exfiltrating hundreds of files, the attacker then uploaded thousands of PREVENT-LEAKAGE.txt files. These were to alert the victim to the theft and provide a means of communicating with the attacker; that is, to negotiate a payment to avoid having the details published online.

The attack, which did not require compromised endpoints, is an indication of how SaaS security programs can be vulnerable. Obsidian believes that in the coming days, attacks like this will become more common as companies invest fewer resources in SaaS security programs, compared to the significant investments made in endpoint security products. The report recommends hardening SaaS controls, roping in high-risk integrations, consolidating audit and activity logs, and revoking unsanctioned or excess privileges to uncover patterns consistent with a breach, an insider threat, or a compromised third-party integration.

Philosophical Discussion

The report exposes the vulnerability of SaaS security programs and emphasizes the need for companies to invest more resources in SaaS controls. The advantages of SaaS will be undermined if companies do not invest in their security. By investing in SaaS, companies entrust regulated, confidential, and sensitive information to these applications, hence the need for solid security protocols that can withstand cyberattacks.

The use of MFA, preferably for all accounts but most especially for highly privileged accounts, is a practical step towards protecting SaaS applications from cyber threats. In addition, consolidating vendors and security products can strengthen the security posture of an organization by breaking down enterprise silos and enhancing threat detection.

Editorial

The lack of adequate SaaS security protocols has always been a concern, and companies should be vigilant about the danger of prolonged inattention to their security protocols. The report highlights the importance of investing in cybersecurity measures that cover all types of applications, from endpoint security products to SaaS, and consolidating security products instead of deploying new point products, which could have been the reason for the vulnerability in the first place.

Advice

SaaS security programs can be vulnerable, making it essential for companies to invest resources in their security protocols. To ensure a solid security stance, companies can adopt the following measures:

1. Rely on data theft and encryption to protect against cyber threats.
2. Use MFA for all accounts and most especially for highly privileged accounts.
3. Consolidate vendors and security products instead of deploying new point products, which could make them more vulnerable.
4. Harden SaaS controls, revoke unsanctioned or high-risk integrations and rope in excess privileges.
5. Consolidate audit and activity logs and uncover patterns consistent with a breach, an insider threat, or a compromised third-party integration.

Overall, companies must continue to invest in their cybersecurity protocols to ensure they can protect sensitive data and thwart cyberattacks. The stakes are high, and the repercussions of a successful attack can be devastating.