What Real-Life SaaS Attack Misconfiguration Exploits Can Teach Us

It’s unfortunate but true: SaaS attacks continue to increase. You can’t get around it, COVID-19 accelerated the already exploding SaaS market and caused industries not planning on making a switch to embrace SaaS.

With SaaS apps becoming the default system of record for organizations, it has left many struggling to secure their company’s SaaS estate. CISOs and security professionals work to limit this burgeoning threat landscape, however, it’s a work in progress.  

One slight misconfiguration or unsafeguarded user permission presents a possible attack vector. The thing is that most organizations now have hundreds of SaaS apps. This amounts to hundreds of global settings as well as thousands to tens of thousands of user roles and permissions to configure, monitor, and consistently update. It’s no wonder there are so many exploitable misconfigurations with the sheer volume of settings and configurations.  

There are a few notable exploited misconfigurations, from default built-in file sharing, and lack of password enforcement, albeit no password to multi-factor authentication (MFA), to the risks of legacy protocols and OAuth apps, that can bring a little clarity to understanding the complex landscape that is a company’s SaaS security posture.

Default authorization misconfiguration exposes NASA, among many others

Security researcher Avinash Jain found a single security misconfiguration in the JIRA collaboration tool that opened up many Fortune 500 companies as well as NASA to a potential leak of corporate data and personal information. This information disclosure was the result of an authorization misconfiguration in Jira’s Global Permissions settings.

When the filters and dashboards for the projects/issues are created in JIRA, then by default the visibility was set to “All users” and “Everyone” respectively. Instead of sharing roadmap tasks etc. internally, it shared them publicly.

Lesson 1: Check file sharing configurations in every SaaS to ensure confidential information is not shared publicly.

Attackers target Citrix with insecure legacy protocols

60% of Microsoft Office 365 and G Suite tenants have been targeted with IMAP-based password-spraying attacks, according to researchers. The attackers target the legacy and insecure IMAP protocol to bypass MFA settings and compromise cloud-based accounts providing access to SaaS apps. It’s reported that Citrix was one such target in an ironic twist as they specialize in federated architectures, yet the FBI suggested that the attackers gained a foothold with password spraying and then bypassed additional layers of security. Read more:https://bit.ly/3jsBiHA

Leave a Reply

Your email address will not be published. Required fields are marked *