State of the SaaS Security Union

We are now facing two concurrent threat actors actively targeting SaaS applications and their customers:

The first group, UNC6040 (also known as ShinyHunters or Scattered Spider), claims overlap with the actors behind the Snowflake breach. They are primarily using credential attacks and OAuth phishing campaigns against Salesforce customers. Once they gain access to a customer’s Salesforce organization, they bulk exfiltrate data and demand ransom payments. Based on their past behavior, if payments are not made, they will sell or dump the stolen data. This group has already compromised several well-known organizations.

This one is going to get much worse before it gets better. UNC6395 is rumored to be a nation-state APT. They initially breached the Salesloft Drift platform and possibly other Salesloft products. From there, they leveraged access to the core platform to compromise more than 700 customers via Salesloft integrations. Early reports suggested the attack was limited to Salesforce integrations, but this was never credible, in my opinion. The campaign has since expanded to Google Workspace and other integrations.

The Security Gaps Exposed

The gap in sophistication between these two threat actors is substantial. In just two months, we’ve gone from basic phishing attacks to an adversary with a deep understanding of SaaS application weaknesses, capable of exploiting integration misconfigurations and concealing their activity.

Notably, UNC6395 is harvesting secrets, tokens, and credentials, then using them to move laterally into other SaaS applications and even infrastructure environments like AWS. The reality is that 99% of SaaS customers do not know where these secrets are stored within their apps, making scoping and containment extremely difficult.

Protecting Against These Attacks

There are critical steps organizations can take to defend themselves. Importantly, the configurations and monitoring required to prevent or detect these attacks fall within the responsibility of the customer, not Salesforce or other SaaS vendors.

• Enforce Least Privilege
  Understand and apply least privilege within your SaaS apps. For example, UNC6395 was able to query dozens of Salesforce objects to which Salesloft never needed access, enabled solely by poor integration account configurations.

• Avoid Overprivileged Accounts
  Provision each user and integration with only the access required for their specific purpose. No shared integration profiles.

• Restrict Access by IP
  Enforce IP restrictions on integrations and, ideally, on user accounts. If a vendor cannot provide fixed IP ranges dedicated to their integrations, find a different vendor.

• Deploy SaaS-Aware Detection
  UNC6395 is more difficult to detect because their activity often originates from commercial cloud hosts (such as AWS) and targets specific data (secrets and credentials) to propagate their attack rather than simply mass-exfiltrating everything.

JOIN US THURSDAY, SEPT 18 for an interactive, live fireside chat with Brian Soby & Christie Terrill, CISO at Bishop Fox, as they discuss these two SaaS breaches and answer your direct questions. REGISTER.