Feb 15, 2024The Hacker NewsSaaS Security / Risk Management

With many of the highly publicized 2023 cyber attacks revolving around one or more SaaS applications, SaaS has become a cause for genuine concern in many boardroom discussions. More so than ever, considering that GenAI applications are, in fact, SaaS applications.

Wing Security (Wing), a SaaS security company, conducted an analysis of 493 SaaS-using companies in Q4 of 2023. Their study reveals how companies use SaaS today, and the wide variety of threats that result from that usage. This unique analysis provides rare and important insights into the breadth and depth of SaaS-related risks, but also provides practical tips to mitigate them and ensure SaaS can be widely used without compromising security posture.

The TL;DR Version Of SaaS Security

2023 brought some now infamous examples of malicious players leveraging or directly targeting SaaS, including the North Korean group UNC4899, 0ktapus ransomware group, and Russian Midnight Blizzard APT, which targeted well-known organizations such as JumpCloud, MGM Resorts, and Microsoft (respectively), and probably many others that often go unannounced.

The first insight from this research cements the concept that SaaS is the new supply chain, providing an almost intuitive framework to the importance of securing SaaS usage. These applications are clearly an integral part of the modern organization’s set of tools and vendors. That said, long gone are the days when every 3rd party with access to company data had to go through security or IT approval. Even in the most rigorous companies, when a diligent employee needs a quick and efficient solution, they’ll look it up and use it to get their jobs’ done faster and better. Again, think of the widespread use of GenAI, and the picture is clear.

As such, any organization concerned about the security of its supply chain must adopt SaaS security measures. According to the MITRE ATT&CK technique ‘Trusted Relationships’ (T1199), a supply chain attack occurs when an attacker targets a vendor to exploit it as a means to infiltrate a broader network of companies. By entrusting sensitive data to external SaaS vendors, organizations subject themselves to supply chain risks that reach beyond immediate security concerns.

Four Common SaaS Risks

There are various reasons and ways in which SaaS is being targeted. The good news is that most of the risks can be significantly mitigated when monitored and controlled. Basic SaaS security capabilities are even free, suited for organizations that are just beginning to develop their SaaS security posture or need to compare it to their current solution.

1) Shadow SaaS

The first problem with SaaS usage is the fact that it often goes completely unnoticed: The number of applications used by organizations is typically 250% larger than what a basic and often-used query of the workspace reveals.

Amongst the companies analyzed:

• 41% of applications were used by only one individual, resulting in a very long tail of unsanctioned applications.
• 1 out of 5 users were utilizing applications not used by anyone else within their organization, creating security and resource strains.
• 63% of single-user applications were not even accessed within a 3-month period, begging the question – why keep them connected to company data?
• 96.7% of organizations used at least one application that had a security incident in the previous year, solidifying the continuous risk and need for proper mitigation.

2) MFA Bypassing

Wing’s research indicates a trend where users opt to use a username/password to access the services they need, bypassing the security measures in place (see image 1).

Image 1: From Wing Security’s research, bypassing MFA.

3) Forgotten tokens

Users grant the applications they need tokens; this is necessary for the SaaS applications to serve their purpose. The problem is that these tokens are often forgotten about after a few or just one use. Wing’s research revealed a large presence of unused tokens over a period of 3 months, creating an unnecessarily large attack surface for many customers (Image 2).

4) The new risk of Shadow AI

In the beginning of 2023, security teams primarily concentrated on a select few renowned services offering access to AI-based models. However, as the year progressed, thousands of conventional SaaS applications adopted AI models. The research shows that 99.7% of companies were using applications with integrated AI capabilities.

Organizations were required to agree to updated terms and conditions permitting these applications to utilize and refine their models using the organizations’ most confidential data. Often, these revised terms and conditions slipped under the radar, along with the usage of AI itself.

There are different ways in which AI applications may use your data for their training models. This can come in the form of learning your data, storing your data and even having a human manually go over your data to improve the AI model. According to Wing, this capability is often configurable and totally avoidable, provided it is not overlooked.

Solving SaaS Security Challenges In 2024

The report ends on a positive note, listing 8 ways in which companies can mitigate the growing threat of the SaaS supply chain. Including:

1. Ongoing shadow IT discovery and management.
2. Prioritize the remediation of SaaS misconfigurations
3. Optimize anomaly detection with predefined frameworks, automate when possible.
4. Discover and monitor all AI-using SaaS applications, and constantly monitor your SaaS for updates in their T&C pertaining to AI usage.

For the full list of findings, tips on ensuring safe SaaS usage and a 2024 SaaS security forecast, download the full report here.

Jan 22, 2024NewsroomCyber Attack / Hacking

Media organizations and high-profile experts in North Korean affairs have been at the receiving end of a new campaign orchestrated by a threat actor known as ScarCruft in December 2023.

“ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity professionals,” SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a report shared with The Hacker News.

The North Korea-linked adversary, also known by the name APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is assessed to be part of the Ministry of State Security (MSS), placing it apart from Lazarus Group and Kimsuky, which are elements within the Reconnaissance General Bureau (RGB).

The group is known for its targeting of governments and defectors, leveraging spear-phishing lures to deliver RokRAT and other backdoors with the ultimate goal of covert intelligence gathering in pursuit of North Korea’s strategic interests.

In August 2023, ScarCruft was linked to an attack on Russian missile engineering company NPO Mashinostroyeniya alongside Lazarus Group in what has been deemed as a “highly desirable strategic espionage mission” designed to benefit its controversial missile program.

Earlier this week, North Korean state media reported that the country had carried out a test of its “underwater nuclear weapons system” in response to drills by the U.S., South Korea, and Japan, describing the exercises as a threat to its national security.

The latest attack chain observed by SentinelOne targeted an expert in North Korean affairs by posing as a member of the North Korea Research Institute, urging the recipient to open a ZIP archive file containing presentation materials.

While seven of the nine files in the archive are benign, two of them are malicious Windows shortcut (LNK) files, mirroring a multi-stage infection sequence previously disclosed by Check Point in May 2023 to distribute the RokRAT backdoor.

There is evidence to suggest that some of the individuals who were targeted around December 13, 2023, were also previously singled out a month prior on November 16, 2023.

SentinelOne said its investigation also uncovered malware – two LNK files (“inteligence.lnk” and “news.lnk”) as well as shellcode variants delivering RokRAT – that’s said to be part of the threat actor’s planning and testing processes.

While the former shortcut file just opens the legitimate Notepad application, the shellcode executed via news.lnk paves the way for the deployment of RokRAT, although this infection procedure is yet to be observed in the wild, indicating its likely use for future campaigns.

The development is a sign that the nation-state hacking crew is actively tweaking its modus operandi likely in an effort to circumvent detection in response to public disclosure about its tactics and techniques.

“ScarCruft remains committed to acquiring strategic intelligence and possibly intends to gain insights into non-public cyber threat intelligence and defense strategies,” the researchers said.

“This enables the adversary to gain a better understanding of how the international community perceives developments in North Korea, thereby contributing to North Korea’s decision-making processes.”

Dec 25, 2023NewsroomCyber Espionage / Malware

The threat actor referred to as Cloud Atlas has been linked to a set of spear-phishing attacks on Russian enterprises.

Targets included a Russian agro-industrial enterprise and a state-owned research company, according to a report from F.A.C.C.T., a standalone cybersecurity company formed after Group-IB’s formal exit from Russia earlier this year.

Cloud Atlas, active since at least 2014, is a cyber espionage group of unknown origin. Also called Clean Ursa, Inception, Oxygen, and Red October, the threat actor is known for its persistent campaigns targeting Russia, Belarus, Azerbaijan, Turkey, and Slovenia.

In December 2022, Check Point and Positive Technologies detailed multi-stage attack sequences that led to the deployment of a PowerShell-based backdoor referred to as PowerShower as well as DLL payloads capable of communicating with an actor-controlled server.

The starting point is a phishing message bearing a lure document that exploits CVE-2017-11882, a six-year-old memory corruption flaw in Microsoft Office’s Equation Editor, to kick-start the execution of malicious payloads, a technique Cloud Atlas has employed as early as October 2018.

“The actor’s massive spear-phishing campaigns continue to use its simple but effective methods in order to compromise its targets,” Kaspersky noted in August 2019. “Unlike many other intrusion sets, Cloud Atlas hasn’t chosen to use open source implants during its recent campaigns, in order to be less discriminating.”

F.A.C.C.T. described the latest kill chain as similar to the one described by Positive Technologies, with successful exploitation of CVE-2017-11882 via RTF template injection paving the way for shellcode that’s responsible for downloading and running an obfuscated HTA file. The mails originate from popular Russian email services Yandex Mail and VK’s Mail.ru.

The malicious HTML application subsequently launches Visual Basic Script (VBS) files that are ultimately responsible for retrieving and executing an unknown VBS code from a remote server.

“The Cloud Atlas group has been active for many years, carefully thinking through every aspect of their attacks,” Positive Technologies said of the group last year.

“The group’s toolkit has not changed for years—they try to hide their malware from researchers by using one-time payload requests and validating them. The group avoids network and file attack detection tools by using legitimate cloud storage and well-documented software features, in particular in Microsoft Office.”

The development comes as the company said that at least 20 organizations located in Russia have been compromised using Decoy Dog, a modified version of Pupy RAT, attributing it to an advanced persistent threat actor it calls Hellhounds.

The actively maintained malware, besides allowing the adversary to remotely control the infected host, comes with a scriptlet designed to transmit telemetry data to an “automated” account on Mastodon with the name “Lamir Hasabat” (@lahat) on the Mindly.Social instance.

“After materials on the first version of Decoy Dog were published, the malware authors went to a lot of effort to hamper its detection and analysis both in traffic and in the file system,” security researchers Stanislav Pyzhov and Aleksandr Grigorian said.