Cybersecurity is no longer about the attacks you can see; it’s about the ones you can’t. In a recent unsettling breach, SaaS ransomware crept into the spotlight, targeting not machines, but the very services that drive our daily work. Attackers didn’t compromise employee computers or infiltrate internal networks; they simply logged in with stolen credentials and discreetly extracted sensitive data from a widely-used service: SharePoint Online.
This bypassing of endpoints marked a departure from the norm and highlighted a glaring vulnerability in password-dependent security protocols. It’s thought to be the first attack of its kind, but it likely won’t be the last.
With this in mind, let’s unravel the specifics of this breach and what organizations can do to prevent automated SaaS ransomware attacks. We’ll look at the transition to passwordless and certificate-based authentication systems as critical defenses in the modern cybersecurity arsenal. By understanding the full scope of the attack and the emerging protective technologies, you’ll be equipped to safeguard your enterprise’s environments against these silent threats. So let’s get into it.
The First Instance of Automated SaaS Ransomware Extortion
Ransomware attacks are nothing new. In 2022 there were around 493.3 million ransomware attacks, a decrease from the year before, but still higher than every other year in the last decade. However, not all ransomware attacks are the same, and threat actors continually adapt their methods for more effective and precise attacks.
The most recent tactic switch, and the first of its kind, is automated SaaS ransomware extortion that entirely bypasses endpoints.
Let’s Break Down This Attack
Cybersecurity researchers at security firm Obsidian have reported a ransomware attack on SharePoint Online, executed via a hijacked Microsoft Global SaaS admin account, sidestepping the typical endpoint compromise. Here’s how it worked:
- Initial Access: The attackers began by exploiting a weakly secured administrator account that was shockingly accessible from the public internet and lacked multi-factor authentication (MFA), a critical security layer.
- Elevation of Privilege: They used the stolen credentials to create a new user named “0mega” in the Active Directory and then systematically assigned this account a staggering level of administrative privileges across the SharePoint, Exchange, and Teams environments. They also removed more than 200 existing administrators within 2 hours.
- Exfiltration of Data: With the illicitly gained permissions, the “0mega” account accessed the company’s SharePoint Online libraries, stealing hundreds of files.
- The Silent Exit: They transferred the stolen data to a virtual private server (VPS) hosted by a Russian web hosting company, utilizing the “sppull” Node.js module, which facilitates file downloads from SharePoint.
- The Unveiling: After the heist, the attackers uploaded text files to the victim’s SharePoint site using the “got” Node.js module, brazenly informing the organization of the breach.
Key Insights
Let’s unpack what we’ve learned from a cyber heist that turned the tables on traditional ransomware tactics. This attack didn’t follow the usual script of endpoint compromise—it was a privileged access heist within a SaaS application. What’s the takeaway? A clear signal that attackers are now turning their sights on the SaaS landscape, exploiting softer targets and laying bare the need for tighter security measures. These are the critical takeaways:
- No Endpoint Compromise: Unlike typical ransomware attacks that rely on endpoint compromise to spread and encrypt files, this attack was purely based on privileged access abuse within the SaaS application.
- A First of Its Kind: According to security experts, this method of automated SaaS ransomware extortion, bypassing endpoints, has not been publicly recorded before.
- A Rising Trend: There has been a noticeable increase in attacks targeting enterprise SaaS environments, attributed to the attackers capitalizing on the less fortified security measures in SaaS applications compared to endpoint defenses. One study found a 300% surge in SaaS attacks since March 1, 2023.
- The Need for Better SaaS Security: The alarming rise in SaaS-focused attacks underlines the urgent need for organizations to enhance their security posture across SaaS platforms.
Why Is This Attack Considered Ransomware?
Although this attack didn’t involve encrypting files – typical of ransomware attacks – it’s still considered a new form of SaaS ransomware. This is because the attackers uploaded thousands of PREVENT-LEAKAGE.txt files to inform the organization of the stolen files and negotiate payment to avoid having the contents leaked online.
Will We See More Attacks Like This?
Yes, we’re likely to see more attacks like this one. Obsidian’s researchers believe the trend will gain traction because the attackers have invested in automation, indicating they’re prepping for future hits. Plus, most companies are stronger in endpoint defense than in SaaS security, leaving a gap ripe for exploitation. The shift to data theft over encryption is also appealing to attackers, minimizing risks and simplifying their operations.
How does data theft minimize risks for attackers? Put simply, it’s a quieter form of cyber looting. Encryption attracts immediate attention; it’s noisy, disruptive, and often triggers a swift response from security teams. In contrast, data theft can go undetected for longer, allowing attackers to slip away unnoticed.
Moreover, without the need to provide decryption keys, attackers avoid the complexities and potential technical failures associated with ransomware deployment. This stealthier approach means they can sidestep the spotlight while still holding valuable data for ransom, potentially leading to a lower profile and fewer chances for law enforcement to catch up with them.
Tactics for Preventing Automated SaaS Ransomware
If we’re going to be seeing more of these attacks, we have to take proactive measures to minimize their success. With this in mind, let’s look at some of the ways we safeguard our systems from automated SaaS ransomware attacks.
Multifactor Authentication and Its Limits
Researchers highlight how one of the reasons this attack was possible is due to the lack of MFA on the SaaS account. Having MFA enabled makes using stolen credentials much harder. However, it doesn’t eliminate this type of attack.
Researchers pointed out that even with MFA in place, determined attackers could still bypass it. They could procure the necessary credentials from dark web forums and leverage tactics like MFA push fatigue, where they bombard a user with authentication requests until the user, overwhelmed and frustrated, finally approves one.
And that’s exactly why passwordless authentication is a better solution here – it’s both more secure and more user-friendly.
Passwordless Authentication as a Tool To Prevent SaaS Ransomware Attacks
User credentials were a critical weak point in the SharePoint attack – it wouldn’t have been possible without a stolen username and password. Which is why many security experts are recommending ditching passwords altogether.
Shifting to passwordless authentication addresses the core vulnerabilities associated with traditional passwords. Conventional passwords are often the weakest link, susceptible to being stolen, guessed, or forgotten. By adopting passwordless solutions like biometrics, security keys, and certificate-based authentication, we enhance security through unique personal identifiers that are significantly more difficult for intruders to replicate.
This shift not only enhances security by making unauthorized access considerably more challenging but also simplifies the user experience, eliminating the need for users to create, remember, and manage an array of passwords. It’s a win-win: stronger security with a side of convenience.
Key Benefits of Passwordless Authentication
- Enhanced Security: Without traditional passwords, attackers can’t leverage stolen credentials, reducing the risk of unauthorized access.
- Reduced Phishing Risks: Phishing campaigns often target passwords. Passwordless authentication removes this vulnerability.
- Lower Administrative Burden: It eliminates the need for password resets and management, reducing IT overhead.
- Improved User Experience: Users no longer need to remember or enter complex passwords, streamlining the login process.
Certificate-Based Authentication: A Step Further in Security
Certificate-based authentication, as part of the passwordless spectrum, involves the use of digital certificates. These certificates are like digital passports, providing a secure and private method of asserting a user’s identity. They work like this:
- Issuance: A trusted Certificate Authority (CA) issues a digital certificate to a user or device.
- Storage: The certificate is securely stored on the user’s device or a smart card.
- Verification: During authentication, the certificate is presented to the server, which verifies it against a list of trusted CAs.
Critically, certificate-based authentication offers robust security. Why? It inherently incorporates two-factor authentication (2FA), as access requires not just the certificate—which acts like a digital ID card (something you have)—but also ties in a device or a PIN, adding a layer of security tied to something you know or are. It also introduces a level of accountability through non-repudiation, ensuring that transactions can’t be readily contested, making it clear who did what.
Plus, for businesses already running on Public Key Infrastructure (PKI), it scales with ease, slotting into the existing setup without a hitch. This dual promise of enhanced security and easy integration makes certificate-based authentication a smart choice for modern organizations.
Why Organizations Should Adopt Passwordless Authentication
With the increase in SaaS ransomware attacks, passwordless authentication, and particularly certificate-based methods, offers a compelling solution. It aligns with zero-trust security models by “never trusting, always verifying,” ensuring that every access request is securely authenticated without relying on vulnerable password systems.
Organizations adopting passwordless and certificate-based authentication stand to benefit from:
- Compliance: Meeting stringent regulatory requirements for data protection.
- Agility: Adapting quickly to evolving security threats without overhauling the entire access management system.
- Reduced Attack Surface: Minimizes the risk of phishing and credential stuffing attacks since passwords are no longer the weakest link.
- Cost-Effectiveness: Lowers the total cost of ownership by reducing the need for password-related support and infrastructure.
- Future-Proofing: Aligns with emerging technologies and standards, making it a forward-looking investment that anticipates the next wave of cyber threats.
- User Experience: Streamlines the login process, eliminating password fatigue and reducing help desk calls for password resets.
It’s Time to Harden SaaS Controls
In an era where SaaS platforms are repositories for regulated, confidential, and sensitive information, hardening SaaS controls is no longer optional—it’s essential. Organizations invest substantially in these platforms. However, while companies have advanced significantly in detecting threats, across endpoints, networks, and cloud infrastructures, many are still lacking when it comes to SaaS threat detection. This needs to change.
A robust approach to strengthening SaaS security involves several critical strategies:
- Privilege Restriction: Tighten access controls by revoking unnecessary privileges. Only the necessary users should have administrative access, and even then, companies should enforce the principle of least privilege.
- Integration Oversight: Many SaaS applications offer integrations with third-party services. It’s crucial to audit these connections, revoking any that are unsanctioned or pose a high risk.
- Log Analytics: Consolidate and scrutinize SaaS audit and activity logs. Analytical tools should be employed to sift through this data to identify patterns indicative of a compromise, insider threat, or rogue third-party integration.
- Continuous Monitoring: Implement real-time monitoring solutions specifically designed for SaaS applications to detect anomalous behaviors and potential security incidents.
Final Thoughts
This alarming automated SaaS ransomware extortion incident reveals a pivotal cybersecurity weakness: reliance on passwords. The assault on SharePoint Online underscores the critical vulnerability passwords pose, especially when multifactor authentication is absent. To thwart such breaches, it is not enough to strengthen passwords; we must redefine access security through passwordless and certificate-based authentication.
Certificate-based authentication introduces a robust framework against this type of exploitation. By leveraging digital certificates, this method validates identities with a precision that passwords simply cannot match. The certificates, issued by trusted Certificate Authorities, provide a much higher level of assurance as they are almost impossible to forge or steal without detection. And their integration with Public Key Infrastructure enables seamless scalability and robust two-factor authentication without the need for passwords.
Embracing passwordless methods not only elevates the security posture but also streamlines user access, effectively shutting down avenues for ransomware attackers. Organizations that adopt these technologies benefit from reduced administrative burden, enhanced compliance, and a fortified defense against the rising tide of SaaS-targeted attacks. They eliminate the weakest link—passwords—from the security chain, drastically narrowing the attack surface.
In short, by adopting certificate-based authentication companies can significantly mitigate the risk of unauthorized access and data breaches, ensuring that their SaaS platforms remain secure in an increasingly hostile digital landscape. As we move forward, the integration of these advanced authentication methods will be paramount in safeguarding against the sophistication of future cyber threats, making it not just a strategic move but a necessary evolution in cyber defense.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。
