August 2024 Newsletter: SaaS attacks special

Hey there! It’s time for the latest edition of our newsletter. So grab a coffee, make sure you’re sitting comfortably, and get ready to digest the latest identity security news.?

Threats under the microscope

SaaS attacks: A year in review?

We usually start by spotlighting a specific attack technique. But this month we’re celebrating a special day: the SaaS attack matrix’s 1st birthday!?

This coincides with the community GitHub repo hitting its thousandth star. It’s incredible to see the security community getting so much use out of it. So, for those of you who aren’t familiar with it (or maybe you’ve not looked at it in a while) we thought it would be a good opportunity to bring your attention to something that both red and blue teamers are finding useful.?

What do red teamers have to say about the SaaS matrix?

To kick things off, we asked some of the best red teams around how they're using the matrix. Here's what they had to say.

"It’s been most useful to us when performing engagements on more modern zero trust environments where macOS is predominantly the operating system of choice. … The technique we’ve seen most success with, across both traditional Active Directory attacks and more modern zero trust environments, is session cookie theft. The protection of browser cookies (for inexplicable reasons) has had less engineering attention than it should have, opening up opportunities for lateral movement using session cookies, credentials, or API keys recovered from a host becomes a key technique. In our experience, defensive tooling has yet to catch up with this threat."

Rob Maslen | Managing Principal Consultant | MDSec

"We've used the SaaS attack matrix across several cloud-native engagements, for both initial access and lateral movement. We’re usually targeting M365 environments but have still found these attack techniques to be highly effective. In some cases, we’ve leveraged other SaaS applications such as abusing in-app phishing via GitHub to compromise development pipelines. The matrix is particularly useful as a playbook of further attacks once initial access has been established. Even just the awareness of how to pivot from SaaS to SaaS (and sometimes back to M365 or Google Workspace) is really eye-opening for red teams."

Tom Ellson | Head of Offensive Security | Stripe OLT

"In one recent engagement, we were able to compromise a cloud identity with limited permissions in the target Azure environment. We were able to enumerate additional OAuth integrations to laterally move to a third-party IT service management SaaS application, which presented a much easier target to elevate privileges. … This really shows how third-party identities and apps are often the soft underbelly for a lot of otherwise pretty secure orgs that we work with, and we’re enjoying the challenge of finding new ways of getting to the crown jewels."

Max Corbridge | Head of Adversarial Simulation | JUMPSEC

What’s changed since launch??

Back when we first published the matrix, we were anticipating a shift that was yet to fully materialize. But a lot can change (and has changed) in the space of a year. We’ve seen the impact of SaaS account takeover attacks laid bare. Snowflake, billed as one of the biggest breaches in history, is a telling example that we’ll no doubt look back on as a watershed moment.

As an indicator of this, the latest Gartner Emerging Tech report for SaaS Ecosystem?Security agrees, announcing that SaaS security has overtaken cloud security as a top priority for businesses. They also named Push as a key vendor in this emerging security domain.?

OK, but what’s this got to do with identity attacks?

Identity attacks are the #1 cause of cyber breaches. This is generally true, but it is especially apt in the context of SaaS attacks. The SaaS matrix illustrates this – identity-based techniques are a significant majority.?

Why? Well, one of the main reasons is that for an attacker to exploit a SaaS app, they often just have to log in. As the saying goes these days: “Hackers don’t hack in, they log in.”

This means that we’ve seen the initial access category grow at a significantly faster rate than other kill chain stages. Every initial access technique can be described as an identity attack.?

How does the SaaS matrix help?

To be able to stop SaaS attacks, you need to know what they look like first.?

So whether you’re a red team looking to emulate the latest attacker techniques, or a blue team looking to detect and block them, the SaaS attack matrix can be a really useful resource.??

If you want to read the full quotes, along with more detail on the most notorious techniques from the last year, you should check out our latest blog post.?

In the news

Google authentication bug allowed attackers to access SaaS services without domain verification

What happened:

Attackers figured out a bug with Google that allowed them to register Google accounts using email addresses they didn’t control. Say you have a Microsoft account with an email address of “john[.]smith@example[.]com” and you don’t use Google – well, the attackers figured out how to create a Google account as “john[.]smith@example[.]com” without access to the underlying email address or domain.?

Push’s perspective:?

This is a slightly unconventional example of a ghost login. Usually, ghost logins are additional login methods that attackers can use to get around securely configured SSO logins with MFA. But in this case, attackers were able to authenticate to third-party apps using a newly created Google address that shared the same domain as an existing SSO login – e.g. a Microsoft account.?

In this case, attackers created a few thousand Google accounts without verification and an example is given showing how this was used to compromise a user’s Dropbox account, even though they weren't a Google user themselves. Pretty scary!

What we've been up to

Push research shout-outs

This feels like a very Push-heavy edition, but there are a couple of things we just have to mention!

First, our VP R&D Luke Jennings’ research was featured on an episode of Darknet Diaries. The episode showcased the impact of SaaS attacks and ghost logins in particular. Super cool!

“If fifty people work at this place, that’s fifty accounts times however many services I just listed. What, ten? So, we’re talking five hundred various logins to different websites now. Who’s got permission to see what and where?... This is a new territory for security teams to navigate. You hear about this in general terms like ‘least user privilege’ and this sort of stuff, but you don’t have people who are experts in Zapier account security who will audit what apps you have given permission to regularly. This is a big challenge to keep up with.”

Jack Rhysider, Darknet Diaries EP:148, discussing Push Security threat research

Upcoming webinar: Infostealers

Luke will be showing off some more of his research in our upcoming webinar, this time looking at infostealers.?

This time, he’s rolling up his sleeves to demonstrate:

– How attackers use infostealers to steal sessions and compromise MFA-protected services like M365.

– How attackers use residential VPNs to bypass conditional access policies.

– How downstream SaaS app sessions can be stolen to avoid the need to access highly protected IDPs like Microsoft and Okta.

Register for the webinar.?

Get your copy of the updated SaaS Attacks Report

Finally, to commemorate the one-year anniversary of the SaaS attack matrix, we’ve issued an updated SaaS attacks report for 2024.?

Download your copy.?

?? Thanks for sharing your week with us. Please invite your friends to sign up!