Security Advisories
4 minutes

SaaS Under Siege: Nation-State Actors Target Identities

TL;DR – Like bank robbers and banks, nation-state actors are now targeting SaaS because that’s where the currency is. Plus, now it’s even easier than traditional endpoint compromise.

In case you missed it, the Five Eyes (FVEY) intelligence alliance (comprising Australia, Canada, New Zealand, the United Kingdom, and the United States) issued an advisory in late February 2024 regarding the cyber espionage group of the Russian intelligence services. This group has transitioned to identity-centric SaaS-based TTPs instead of the traditional endpoint-focused malware to gain initial access. 

The full advisory can be found here.

Nation-state actors have realized what we at Obsidian Security and, unfortunately, eCrime adversaries (such as Scattered Spider) have known for quite some time now:

  1. Organizations, both private and public, and governmental agencies are entrusting their data to SaaS and public cloud services. Not planning or transitioning, but already there.
  2. Targeted attacks on end users are an easy way to gain initial access, bypassing MFA, using well-established techniques such as Adversary in the Middle (AiTM) attacks, SIM Swapping and MFA Push Fatigue.
  3. Owning a user’s credentials and/or session allows an adversary to easily move laterally by way of the “federated” trust relationship that other applications have established with an organization’s Identity Provider (IdP). This includes the ability to jump from SaaS to on-premises through VPN services; something Obsidian has seen actively being used by adversaries today.

As a result, these nation-state actors are finding it easier to gain initial access to these platforms, for two key reasons:

  1. The “shared security model” is not widely understood. Many organizations approach 3rd-party SaaS platforms as a way to transfer risk to the SaaS vendor. There is a level of assumption that the SaaS vendor is securing their information; that they are made the custodian for the information that is located within the SaaS application. This is not the case. The “shared security model” requires the subscriber to the SaaS service to assume responsibility for setting up their tenancy so that access to the information is secure. This misunderstanding drives organizations to underestimate the necessary security resources to secure and monitor access to their SaaS tenancy.
  2. SaaS security is unique. Its ubiquitous browser-based access and async session management require session tokens to be stored in the user’s browser and sent with every request. This leaves active session tokens open to theft by malware and AiTM attacks.

At Obsidian, we have been 100% focused on these types of SaaS attacks and have been detecting and responding before they became popular attack vectors for eCrime actors, and now nation-state operators. Obsidian is involved in dozens of active global Incident Response scenarios per week that include these types of techniques and tactics. 

Alarmingly, these strategies (AiTM and MFA Push Fatigue) prove successful in over 51% of SaaS breaches–the remaining 49% consist of SIM Swapping, Integration Abuse, and Endpoint Compromise.

Data from Obsidian platform & incident response engagements from August 2022 to August 2023.

Obsidian stands out as a SaaS threat detection and prevention platform designed with a specific focus on combating SaaS attacks. While traditional SSPM vendors typically concentrate on Posture Management, configuration issues represent only around 15% of the breaches we have witnessed. Obsidian diverges from this approach. We understand that the remaining 85% of SaaS security incidents are attributed to residual risk. 

Illustrated by the recent Five Eyes advisory, Obsidian’s SaaS threat modeling swiftly identifies session theft, initiates response workflows and playbooks, or can proactively suspend the compromised account. Conventional tools such as Endpoint Detection and Response (EDR), Cloud Access Security Broker (CASB), or Secure Access Service Edge (SASE) lack the capability to provide such comprehensive protection.

Learn more about the SaaS attacks, gain deeper insights, and remediation advice on our blog. Or get in touch with us to assess your environment for risks of SaaS threats.

To explore more  on these types of SaaS-specific attacks, and gain deeper insights and remediation advice visit on our website