Full Report
In 2024, cyber threats targeting SaaS surged, with 7,000 password attacks blocked per second (just in Entra ID)—a 75% increase from last year—and phishing attempts up by 58%, causing $3.5 billion in losses (source: Microsoft Digital Defense Report 2024). SaaS attacks are increasing, with hackers often evading detection through legitimate usage patterns. The cyber threat arena saw standout
Analysis Summary
# Threat Actor: ShinyHunters
## Attribution & Identity
Threat actor organization described as the "Most Valuable Player" in 2024 cyber threats, specifically targeting SaaS environments. Known for gaining access through exploiting misconfigurations rather than vendor vulnerabilities.
## Activity Summary
* Conducted a relentless spree of SaaS breaches throughout 2024.
* Achieved "Biggest Wins" against Snowflake, Ticketmaster, and Authy.
* Exploited a single misconfiguration among Snowflake customers to breach over 165 organizations.
* Infiltrated, exfiltrated data, and engaged in blackmail against compromised users.
* Stolen data dumps were characterized as daring theatrical releases featuring bidding wars and exclusive leaks.
## Tactics, Techniques & Procedures
- Exploiting **SaaS misconfigurations** (e.g., lack of MFA enforcement, improper credential management).
- Infiltration and exfiltration without immediate detection via legitimate usage patterns.
- Blackmailing victims using exfiltrated sensitive data.
## Targeting
- Sectors: Various sectors utilizing affected SaaS platforms (implied based on victims like Ticketmaster).
- Geography: Not explicitly stated, but high-profile breaches suggest global operations.
- Victims: Snowflake customers (165+ organizations), Authy, Ticketmaster.
## Tools & Infrastructure
- Malware families used: Not explicitly detailed in the summary provided.
- Infrastructure (C2, domains, IPs): Not explicitly detailed in the summary provided.
## Implications
ShinyHunters demonstrated a highly effective and low-friction method for mass exploitation by targeting widely overlooked customer-side security oversights (misconfigurations) rather than complex vendor vulnerabilities, leading to significant data exposure across critical SaaS platforms.
## Mitigations
- Organizations must enforce Multi-Factor Authentication (MFA).
- Regularly rotate credentials.
- Implement allow lists for access control.
- Conduct regular SaaS security risk assessments to uncover vulnerabilities.
***
# Threat Actor: ALPHV (BlackCat)
## Attribution & Identity
Described as a Ransomware-as-a-Service (RaaS) group characterized by "Strategic Maneuvering." Associated with the alias BlackCat.
## Activity Summary
* Executed one of the year's boldest moves in 2024.
* Extorted \$22 million from Change Healthcare using compromised credentials.
* Faked an FBI takedown of their leak site to mislead authorities and affiliates.
* Continued attacks against prominent entities, including Prudential.
* Involved in an "exit scam" controversy with affiliate RansomHub after the Change Healthcare incident.
## Tactics, Techniques & Procedures
- Ransomware-as-a-Service (RaaS) model.
- Utilized **compromised credentials** for initial access/extortion.
- Deception tactic: Faking law enforcement action to cover fraudulent activity.
- Stole data prior to encryption/demanding ransom (double extortion).
## Targeting
- Sectors: Healthcare (Change Healthcare) and Finance (Prudential).
- Geography: Not explicitly stated.
- Victims: Change Healthcare, Prudential.
## Tools & Infrastructure
- Malware families used: BlackCat Ransomware.
- Infrastructure (C2, domains, IPs): Operates a known leak site (which they faked a takedown of). Noted involvement in a public Bitcoin transaction related to the scam: `383559d4a8cf4359a748ff7dacff5b0f00d1b161595da39082b2b66a4d43856c`.
## Implications
ALPHV showcased significant operational complexity, combining highly impactful ransomware operations with sophisticated deceptive tactics to defraud affiliates, cementing their reputation as formidable threat actors despite internal fallout.
## Mitigations
- Track credential leaks using darknet monitoring.
- Enforce Single Sign-On (SSO) to streamline authentication.
- Monitor authentication activities closely.
- Detect compromised credentials promptly.
- Implement account suspension policies to prevent brute-force attacks.
***
# Threat Actor: RansomHub
## Attribution & Identity
Described as a "Rookie of the Year" threat actor operating as a Ransomware-as-a-Service (RaaS) group focused on "Opportunistic Offense." Emerged prominently in 2024, notably as an affiliate of ALPHV.
## Activity Summary
* Recorded a "Biggest Win" against Frontier Communications (Telecom & Infrastructure).
* Publicly accused ALPHV of performing an exit scam after not receiving their share of the Change Healthcare ransom.
* Published stolen data from Change Healthcare despite the RaaS dispute, highlighting a motivation centered on data monetization irrespective of affiliate payouts.
## Tactics, Techniques & Procedures
- Ransomware-as-a-Service (RaaS) model (Affiliate activity).
- Data extortion following initial breach.
- Publicly airing grievances and sharing sensitive proof (Bitcoin transaction) on dark web forums to pressure partners.
## Targeting
- Sectors: Telecom & Infrastructure (Frontier Communications).
- Geography: Not explicitly stated.
- Victims: Frontier Communications.
## Tools & Infrastructure
- Malware families used: Likely utilized the BlackCat/ALPHV infrastructure or modified derivatives during its association.
- Infrastructure (C2, domains, IPs): Involved in the Bitcoin transaction associated with the ALPHV scam: `383559d4a8cf4359a748ff7dacff5b0f00d1b161595da39082b2b66a4d43856c`.
## Implications
RansomHub represents the volatile nature of the RaaS ecosystem, demonstrating that even affiliates can become major players. Their aggressive pursuit of data monetization highlights ongoing risks even when original RaaS operators slow down.
## Mitigations
- Maintain robust monitoring for leaked credentials and darknet chatter related to organizational assets.
- Strong SSO enforcement and identity monitoring.
- Proactive oversight of app-to-app integrations (Shadow IT).
***
# Threat Actor: Cl0p (Mentioned as Benched Talent)
## Attribution & Identity
Described as a hybrid social engineering group that was previously a major player in cybercrime but is currently sidelined due to arrests and legal crackdowns in January 2024. Experts caution against counting them out.
## Activity Summary
* Activity slowed significantly in 2024 following the arrest of key members and leaders.
* Noted for their history as a major cybercrime player before their slowdown.
## Tactics, Techniques & Procedures
- Primarily known for **social engineering** methods (implied background).
## Targeting
- Sectors: Generally high-value targets, given their past status.
- Geography: Not specified in the context of 2024 activity.
- Victims: Not detailed for the period summarized.
## Tools & Infrastructure
- Not detailed in the summary provided.
## Implications
This actor serves as a reminder that established threat groups, even when disrupted by law enforcement, retain the knowledge and potential to rebuild or re-emerge, necessitating continued vigilance.
## Mitigations
- General vigilance against established cyber threat groups.
- Continuous monitoring frameworks essential for SaaS security.