A SaaS security firm says a spike in cyberattacks from Russia and China in recent weeks suggests the two countries may be coordinating their cyber efforts.
SaaS Alerts, which helps managed service providers (MSPs) manage and protect customers’ SaaS applications, mentioned the finding in conjunction with the release of its annual SaaS Application Security Insights (SASI) report.
“Over the past few weeks, SaaS Alerts has seen a surge in activity from countries with consistently high levels of attempted and successful attacks originating from within their borders – Russia and China,” the company said. company in a press release. “The vast volumes of data analyzed suggest that these countries may even be coordinating attack efforts. According to analysis available on SaaS Alerts, the attack trend lines that compare Russia and China show almost the exact same pattern.
Planet eSecurity checked with some well-known threat intelligence agencies, and while they did not conclude that the attacks were coordinated, they do confirm that China has increased cyber activity in Ukraine and Europe.
Ben Read, director of intelligence analysis at Mandiant, said Planet eSecurity that “we have seen similar activity at google with China targeting Europe/Ukraine, but there is no indication that it is coordinated with Russia.
The increase in cyber activity reported by SaaS Alerts and others coincides with the escalation of Russia’s unprovoked attack on Ukraine, and yesterday Resecurity Inc. reported that hackers – some linked to Russian GRU military intelligence – hacked into the computers of nearly two dozen US liquefied natural gas (LNG) companies and the FBI reported that Russia-connected Ragnar Locker ransomware affected at least 52 critical infrastructure companies in January.
US security agencies have issued a number of critical security infrastructure protection alerts in recent months, including a network security framework released last week (see US Security Agencies Release Network Security, Vulnerability Guidance) .
SaaS applications under attack
With an average number of SaaS applications per organization of 89, according to Okta, these applications have become one of the most critical cybersecurity challenges — and the SaaS Alerts report highlights just how vulnerable they are.
In his report, SaaS Alerts said it analyzed 136 million SaaS security events in 2021 and found that the most successful unauthorized logins came from Russia, with China, Vietnam, Korea and Brazil being the top sources ( see table below). These attacks – using valid credentials – are difficult to detect without behavioral monitoring and geographic whitelisting, according to the report.
While some of these attacks may be state-sponsored, many are less sophisticated hackers who find it easier to learn skills. And some governments, including Russia, have allowed cybercriminal groups to operate in their country in exchange for cooperation and promises not to attack the host country. Ragnar Locker, for example, ends when it encounters a machine in the countries of the former USSR.
There have been around 10,000 brute force attacks against nearly 130,000 MSP user accounts monitored by SaaS alerts, so determined cybercriminals have multiple ways to compromise target accounts. Account credentials have also been used to log into third-party applications, which may result in data and account information being shared between SaaS applications.
“Users often make these connections out of convenience without considering potential security breaches,” the report notes.
SaaS Alerts looked at over 2,000 SMBs, and because the company’s platform is only available through the MSP channel, the data is specifically focused on SMBs that are served by MSPs.
Also Read: Best Network Monitoring Tools for 2022
Most Common Critical Alerts
The report found that the three most common critical SaaS alerts are geo-breaches, third-party app logins, and multiple account lockouts (image below).
The most common critical alert, “User Location: Outside Trusted Location”, occurs when there is a successful login to a user account from outside a trusted location or a range of IP addresses. While this is sometimes a false flag due to misconfiguration of trusted locations or unexpected user movement, it still indicates a significant likelihood that a malicious actor has managed to compromise an account, according to the report.
The “SaaS integration alert” indicates that account credentials were used to sign in to a third-party application, which may result in data and other account information being shared between SaaS applications.
“Multiple Account Lockouts” refers to accounts that are locked out four or more times within a 12 hour period. For an account to be locked, it means that “malicious actors have successfully validated a correct account name and are actively trying (usually programmatically) password combinations to gain access to the account,” the report said.
Also Read: Best Third-Party Risk Management (TPRM) Tools for 2022
Guest accounts, file sharing are risks
Other common vulnerabilities include guest user accounts – the report found 42% of monitored accounts were guest accounts – and file sharing activity.
Organizations should set up guest accounts with the minimum required access and permissions and continuously monitor the activity of those accounts and deactivate unused guest accounts once they have completed their intended use, SaaS Alerts said.
Companies should also monitor SaaS file sharing activity “to determine whether or not users are using document creation and file sharing effectively and securely,” the report said. “End users should be trained to ensure they terminate ‘old’ sharing links to maintain proper security hygiene and mitigate risk.”
Office 365, the most attacked application
Not surprisingly given its size, Office 365 kept security professionals busy, with more than 110 million events, about 1% of which triggered alerts. Google Workspace, Salesforce and Dropbox followed in terms of security activity (image below).
Read next: Top vulnerability management tools for 2022