This article was originally published in Security Boulevard and later cross-posted on our Obsidian blog.
As the Russian invasion of Ukraine continues on with seemingly no end in sight, companies around the world are increasingly concerned with the growing threat of increased cyber attacks and cyber retaliation. In recent weeks, Russian actors have launched an unprecedented number of cyberattacks to spread misinformation and disrupt and destroy critical infrastructure. Wiper malware hit a number of Ukrainian banking systems while various Ukrainian government agency websites were either defaced or taken offline entirely. Although many of these cyberattacks have been targeted at Ukrainian institutions, the global security community has already taken note of the increased risk of cyber threats originating from the conflict region—and teams are on high alert.
As economic sanctions against Russia continue to set in and weaken the Russian economy, it is likely that Russian cyberattacks will increase and both be motivated by economic gain—such as ransomware, business email compromise, and spear phishing— and by retaliation. In late February, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) issued their “Shields Up” advisory, warning businesses to prepare for potentially disruptive cyber activity in the wake of Russia’s invasion. More recently, the Biden administration released a statement warning of “evolving intelligence that the Russian Government is exploring options for potential cyberattacks” and urging “private sector partners to harden your cyber defenses immediately.”
In these times, communication and collaboration between security teams, researchers, vendors, and industry leaders is absolutely imperative to ensuring critical organizations—especially those in targeted sectors—-are equipped to protect themselves and respond effectively to threats.
Our team is committed to sharing the insights we gain from being a Software-as-a-Service (SaaS) security leader with the wider community and providing assistance to industries that need it especially with our focus being on protecting mission-critical business applications. Below are some SaaS-specific concerns for your team to be aware of and how we are responding to this increased cybersecurity threat.
Attackers recognize that most organizations today entrust a wealth of their sensitive business data to their core applications and are looking for any opportunity to gain unauthorized access to these services.
CISA just recently issued an advisory regarding Russian state-sponsored activity that enabled attackers to gain network access by exploiting misconfigurations in Duo multi-factor authentication (MFA). After brute forcing entry into an inactive account, attackers would enroll one of their own devices into Duo MFA. Once authenticated to the network, attackers exploited the Windows “PrintNightmare” vulnerability to obtain administrative privileges, then modified a domain controller file to prevent the Duo MFA server from authenticating logins. The default MFA configurations allowed for a new device to be enrolled on a dormant account and for “fail open” behavior, meaning single-factor authentication is enabled if the MFA server is unreachable.
Attackers are also effectively bypassing MFA protocols with the interception and theft of SaaS session tokens by various methods, including phishing via a man-in-the-middle attack or purchasing stolen tokens on the dark web. With a valid session token, an attacker can interact freely with the user’s SaaS application, generating API keys, installing OAuth applications, and generally going undetected by most security tools.
A few months ago, we wrote about an increase in unsophisticated phishing attacks against Workday and various other human capital management systems where attackers rerouted the direct deposits of multiple employees. Considering the heavy international economic sanctions levied upon the Russian state, security teams should prepare for retaliatory attacks looking to maximize financial return. Security teams should have plans in place to deal with these threats and to ensure the continuity of critical business systems.
Account compromises aren’t the only concern here; larger enterprises should be wary about potential insider threats as individuals take sides. Paying close attention to abnormal behavior patterns—unusually high download/deletion volume or forwarding business emails to a personal inbox, for example—can help teams detect and mitigate potential insider threats. Security teams should also use this opportunity to consider reducing user privileges across applications, as unnecessary permissions only increase the overall risk to the organization. In addition, monitoring your third-party risk and software supply chain is critical. This is especially important in the sprawling SaaS application install base, where the interconnected web of SaaS applications, integrations, and their opaque data flows increase your overall surface area and exposure to data loss and compromise.
With the growing threat of cyber attacks directed at business-critical SaaS applications, Obsidian’s objective is two-fold: ensure our customers are well-equipped to protect their SaaS environments, and provide support to businesses in important and targeted industries.
Comprehensive SaaS security involves both posture management—ensuring that application controls are hardened and privileges are distributed appropriately—and continuous threat monitoring to identify account takeovers and insider threats. Obsidian is the first SaaS security solution to offer both threat and posture management in a single platform, equipping security teams to proactively minimize risk and mitigate malicious activity promptly.
Obsidian monitors for inactive user accounts, brute force attacks, attackers logging in from geographically distant locations, and theft of session tokens. Obsidian’s models use data from across your SaaS applications to baseline a user’s behavior, which helps us identify aberrant activity in other platforms.
In addition to these capabilities already offered by our platform, we’ve added a dashboard specifically designed to monitor activity originating from the conflict area. This dedicated interface will enable our customers to more easily track alerts and activity in the region, monitor users with activity from known malicious Russian IPs, identify accounts targeted by brute force attacks, help facilitate the transition of users who are forced to relocate, and surface potential insider threats.