Full Report
Obsidian found that threat actors are focusing on SaaS applications to steal sensitive data, with most organizations' security measures not set up to deal with these attacks
Analysis Summary
As an incident response analyst, here is the structured summary of the security incidents based on the provided context:
# Incident Report: Surge in SaaS Platform Compromises (Sep 2023 - Sep 2024)
## Executive Summary
Between September 2023 and September 2024, reports indicated a 300% surge in Software as a Service (SaaS) breaches as sophisticated threat actors shifted focus to cloud platforms. The primary impact stems from compromised identities leading to direct data theft or espionage, often bypassing traditional security controls due to weak MFA implementation. Response strategies emphasize comprehensive SaaS visibility, least privilege, and continuous monitoring.
## Incident Details
- **Discovery Date:** Not specified, linked to research spanning September 2023 - 2024.
- **Incident Date:** Ongoing, observing trends over the last 12 months.
- **Affected Organization:** Multiple organizations impacted, specifically highlighting incidents involving **Snowflake** deployments (including AT&T).
- **Sector:** Healthcare (14% of breaches), State and Local Government (13%), Financial Services (11%).
- **Geography:** Not specified, global context based on SaaS adoption.
## Timeline of Events
### Initial Access
- **Date/Time:** Highly variable; in one identified case, data exfiltration occurred just nine minutes after initial data access.
- **Vector:** Compromised Identity (85% of observed SaaS breaches).
- **Details:** Credentials stolen, often from previous infostealer campaigns, leveraged for direct SaaS login.
### Lateral Movement
- **Details:** Attackers often bypass traditional network lateral movement, as integrated SaaS platforms allow immediate access to multiple applications via a single compromised identity.
### Data Exfiltration/Impact
- **Details:** Sensitive data theft, financial extortion (e.g., $2.5M extorted in one campaign), espionage, and strategic disruption.
### Detection & Response
- **How it was discovered:** Identified through analysis by Obsidian Security tracking SaaS attack trends.
- **Response actions taken:** Not explicitly detailed for the aggregated incidents, but *recommendations* focus on monitoring and remediation.
## Attack Methodology
- **Initial Access:** Compromised Identity (85%).
- **Persistence:** Not the primary focus; attackers move quickly to exfiltrate.
- **Privilege Escalation:** Generally *not required*, as attackers go "straight for the data."
- **Defense Evasion:** Weak MFA implementation and utilization of bypass techniques (e.g., AiTM).
- **Credential Access:** Adversary-in-the-Middle (AiTM) attacks (39%), Self-Service Password Reset abuse (24%), single-factor password guessing (14%), Push Fatigue (13%).
- **Discovery:** Implied internal reconnaissance within the SaaS application environment.
- **Lateral Movement:** Through integrated SaaS application connections using the initial compromised identity.
- **Collection:** Gathering sensitive data from cloud data warehousing (e.g., Snowflake).
- **Exfiltration:** Direct data theft from the accessed SaaS platform.
- **Impact:** Financial gain, espionage, or disruption.
## Impact Assessment
- **Financial:** $2.5 million extorted in one high-profile campaign.
- **Data Breach:** Sensitive data stolen from numerous companies; AT&T call logs referenced as potentially impacted.
- **Operational:** Potential strategic disruption due to the critical reliance on SaaS applications for operations.
- **Reputational:** Significant damage possible given high-profile entities are involved.
## Indicators of Compromise
- **Network indicators:** Not detailed (defanged to avoid specific TTPs without explicit context).
- **File indicators:** None specified.
- **Behavioral indicators:** Direct access and exfiltration from SaaS platforms without typical network traversal; successful logins despite MFA prompts (when MFA is not bypassed via AiTM).
## Response Actions
*(Based on post-incident recommendations, as specific containment actions were not detailed for the aggregate view):*
- **Containment measures:** Not specified.
- **Eradication steps:** Not specified.
- **Recovery actions:** Not specified.
## Lessons Learned
- Traditional security tools designed for on-premises or cloud networks struggle to secure the complex web of SaaS applications and identities.
- Compromised identity is the paramount initial vector in SaaS breaches.
- MFA, while critical, is frequently bypassed due to weak implementation, exceptions, or advanced techniques like AiTM.
- Attackers can achieve data access and exfiltration extremely rapidly in SaaS environments (as fast as 9 minutes).
## Recommendations
- Gain a comprehensive view of all SaaS applications and services in use to identify and manage potential vulnerabilities.
- Implement least privilege access controls to reduce the lateral movement capability once an initial identity is compromised.
- Establish a system of ongoing monitoring specifically tailored for SaaS environments to quickly identify and respond to threats.
- Ensure MFA is robustly implemented across all critical SaaS platforms, actively mitigating against AiTM attacks where possible.