Feb 13, 2024The Hacker NewsSaaS Security / Data Breach

The Midnight Blizzard and Cloudflare-Atlassian cybersecurity incidents raised alarms about the vulnerabilities inherent in major SaaS platforms. These incidents illustrate the stakes involved in SaaS breaches — safeguarding the integrity of SaaS apps and their sensitive data is critical but is not easy. Common threat vectors such as sophisticated spear-phishing, misconfigurations and vulnerabilities in third-party app integrations demonstrate the complex security challenges facing IT systems.

In the case of Midnight Blizzard, password spraying against a test environment was the initial attack vector. For Cloudflare-Atlassian, threat actors initiated the attack via compromised OAuth tokens from a prior breach at Okta, a SaaS identity security provider.

What Exactly Happened?

Microsoft Midnight Blizzard Breach

Microsoft was targeted by the Russian “Midnight Blizzard” hackers (also known as Nobelium, APT29, or Cozy Bear) who are linked to the SVR, the Kremlin’s foreign intelligence service unit.

In the Microsoft breach, the threat actors:

1. Used a password spray strategy on a legacy account and historic test accounts that did not have multi-factor authentication (MFA) enabled. According to Microsoft, the threat actors “[used] a low number of attempts to evade detection and avoid account blocks based on the volume of failures.”
2. Leveraged the compromised legacy account as an initial entry point to then hijack a legacy test OAuth app. This legacy OAuth app had high-level permissions to access Microsoft’s corporate environment.
3. Created malicious OAuth apps by exploiting the legacy OAuth app’s permissions. Because the threat actors controlled the legacy OAuth app, they could maintain access to the applications even if they lost access to the initially compromised account.
4. Granted admin Exchange permissions and admin credentials to themselves.
5. Escalated privileges from OAuth to a new user, which they controlled.
6. Consented to the malicious OAuth applications using their newly created user account.
7. Escalated the legacy application’s access further by granting it full access to M365 Exchange Online mailboxes. With this access, Midnight Blizzard could view M365 email accounts belonging to senior staff members and exfiltrate corporate emails and attachments.

Recreation of illustration by Amitai Cohen

Cloudflare-Atlassian Breach

On Thanksgiving Day, November 23, 2023, Cloudflare’s Atlassian systems were also compromised by a nation-state attack.

1. This breach, which started on November 15, 2023, was made possible through the use of compromised credentials that had not been changed following a previous breach at Okta in October 2023.
2. Attackers accessed Cloudflare’s internal wiki and bug database, enabling them to view 120 code repositories in Cloudflare’s Atlassian instance.
3. 76 source code repositories related to key operational technologies were potentially exfiltrated.
4. Cloudflare detected the threat actor on November 23 because the threat actor connected a Smartsheet service account to an admin group in Atlassian.

Threat Actors Increasingly Target SaaS

These breaches are part of a broader pattern of nation-state actors targeting SaaS service providers, including but not limited to espionage and intelligence gathering. Midnight Blizzard previously engaged in significant cyber operations, including the 2021 SolarWinds attack.

These incidents underscore the importance of continuous monitoring of your SaaS environments and the ongoing risk posed by sophisticated cyber adversaries targeting critical infrastructure and operational tech stack. They also highlight significant vulnerabilities related to SaaS identity management and the necessity for stringent 3rd-party app risk management practices.

Attackers use common tactics, techniques and procedures (TTPs) to breach SaaS providers through the following kill chain:

1. Initial access: Password spray, hijacking OAuth
2. Persistence: Impersonates admin, creates extra OAuth
3. Defense Evasion: Highly privileged OAuth, no MFA
4. Lateral Movement: Broader compromise of connected apps
5. Data Exfiltration: Grab privileged and sensitive data out of apps

Breaking the SaaS Kill Chain

One effective way to break the kill chain early is with continuous monitoring, granular policy enforcement, and proactive lifecycle management over your SaaS environments. A SaaS Security Posture Management (SSPM) platform like AppOmni can help with detecting and alerting on:

• Initial Access: Out-of-the-box rules to detect credential compromise, including password spraying, brute force attacks, and unenforced MFA policies
• Persistence: Scan and identify OAuth permissions and detect OAuth hijacking
• Defense Evasion: Access policy checks, detect if a new identity provider (IdP) is created, detect permission changes.
• Lateral Movement: Monitor logins and privileged access, detect toxic combinations, and understand the blast radius of a potentially compromised account

Note: This expertly contributed article is written by Beverly Nevalga, AppOmni.

Dec 16, 2023NewsroomCyber Security / Incident Response

China’s Ministry of Industry and Information Technology (MIIT) on Friday unveiled draft proposals detailing its plans to tackle data security events in the country using a color-coded system.

The effort is designed to “improve the comprehensive response capacity for data security incidents, to ensure timely and effective control, mitigation and elimination of hazards and losses caused by data security incidents, to protect the lawful rights and interests of individuals and organizations, and to safeguard national security and public interests,” the department said.

The 25-page document encompasses all incidents in which data has been illegally accessed, leaked, destroyed, or tampered with, categorizing them into four hierarchical tiers based on the scope and the degree of harm caused –

• Red: Level I (“especially significant”), which applies to widespread shutdowns, substantial loss of business processing capability, interruptions arising due to serious anomalies lasting more than 24 hours, occurrence of major radio interference for more than 24 hours, economic losses 1 billion yuan, or affects the personal information of over 100 million people or sensitive personal information of more than 10 million people

• Orange: Level II (“significant”), which applies to shutdowns and operational interruptions lasting more than 12 hours, occurrence of major radio interference for more than 12 hours,, economic losses between 100 million yuan and 1 billion yuan, or affects the personal information of over 10 million people or sensitive personal information of more than 1 million people

• Yellow: Level III (“large”), which applies to operational interruptions lasting more than eight hours, occurrence of major radio interference for more than eight hours, economic losses between 50 million yuan and 100 million yuan, or affects the personal information of over 1 million people or sensitive personal information of more than 100,000 people

• Blue: Level IV (“general”), which applies to minor events that cause operational interruptions lasting less than eight hours, economic losses of less than 50 million yuan, or affects the personal information of less than 1 million people or sensitive personal information of less than 100,000 people

The new rules also require affected companies to make an assessment to determine the severity of the incident, and if deemed serious, report it immediately to the local industry supervision department without omitting or concealing any facts, or providing any false information.

“If the local industry regulatory department initially determines that it is a particularly major or major data security incident, it should report it to the Mechanism Office in accordance with the requirements of ’10 minutes by phone and 30 minutes in writing’ after discovering the incident,” the draft rules state.

Based on the response level activated – Red or Orange – the Mechanism Office is expected to report the matter to the MIIT. The draft rules are open for public comments until January 15, 2024.

The development comes as videotelephony and enterprise communications company Zoom unveiled an open-source vulnerability impact scoring system (VISS) to “objectively capture the principal impact characteristics of software, hardware, and firmware vulnerabilities as they relate to the associated infrastructure, technology stack, and security of customer data.”