The Midnight Blizzard and Cloudflare-Atlassian cybersecurity incidents have raised alarms about vulnerabilities inherent in major SaaS platforms. These incidents illustrate what’s at stake in SaaS breaches: Safeguarding the integrity of SaaS apps and their sensitive data is critical but not easy. Common threat vectors such as sophisticated spear-phishing, misconfigurations, and vulnerabilities in third-party app integrations demonstrate the complex security challenges facing IT systems.
In the case of Midnight Blizzard, the initial attack vector was password spraying against a test environment. In the case of Cloudflare-Atlassian, the threat actors initiated the attack via compromised OAuth tokens from a previous breach at Okta, a SaaS identity security provider.
What exactly happened?
Microsoft Midnight Blizzard hack
Microsoft has been targeted by Russian “Midnight Blizzard” hackers (also known as Nobelium, APT29 or Cozy Bear) who are linked to the SVR, the Kremlin’s foreign intelligence unit.
In the Microsoft breach, threat actors:
- A password spray strategy was used on a legacy account and historical test accounts that did not have multi-factor authentication (MFA) enabled. According to Microsoft, threat actors “[used] a low number of attempts to evade detection and avoid account lockout based on error volume.”
- He used the compromised legacy account as an initial entry point and then hijacked a legacy testing OAuth app. This legacy OAuth app had high-level permissions to access Microsoft’s corporate environment.
- Creating malicious OAuth apps by leveraging legacy OAuth app permissions. Because threat actors controlled the legacy OAuth app, they could maintain access to applications even if they lost access to the initially compromised account.
- Exchange administrator permissions and administrator credentials granted to yourself.
- OAuth escalates privileges to a new user, controlled by them.
- Allowed malicious OAuth applications using the newly created user account.
- I further escalated the legacy application’s access by granting it full access to M365 Exchange Online mailboxes. With this access, Midnight Blizzard could view M365 email accounts belonging to senior staff members and extract company emails and attachments.
 |
| Recreation of Amitai Cohen’s illustration |
Cloudflare-Atlassian hack
On Thanksgiving Day, November 23, 2023, Cloudflare’s Atlassian systems were also compromised in a nation-state attack.
- This breach, which began on November 15, 2023, was made possible by the use of compromised credentials that had not been modified following a previous breach at Okta in October 2023.
- The attackers gained access to Cloudflare’s internal wiki and bug database, allowing them to view 120 code repositories in Cloudflare’s Atlassian instance.
- 76 source code archives related to key operational technologies were potentially exfiltrated.
- Cloudflare detected the threat actor on November 23 because he linked a Smartsheet service account to an administrator group at Atlassian.
Can your security team monitor third-party apps? 60% of teams can’t
Think your SaaS security is top-notch? Appomni surveyed over 600 global security professionals and 79% of professionals thought the same thing, but they had to deal with cybersecurity incidents! Dive into the insights of the 2023 AppOmni Report.
Find out how you can
Threat actors are increasingly targeting SaaS
These breaches are part of a larger pattern of state actors targeting SaaS providers, including but not limited to espionage and intelligence gathering. Midnight Blizzard has previously engaged in major cyber operations, including the 2021 SolarWinds attack.
These incidents highlight the importance of continuous monitoring of SaaS environments and the ongoing risk posed by sophisticated cyber adversaries targeting critical infrastructure and the operational technology stack. They also highlight significant vulnerabilities related to SaaS identity management and the need for rigorous third-party app risk management practices.
Attackers use common tactics, techniques, and procedures (TTPs) to breach SaaS providers through the following kill chain:
- Initial login: Password spray, OAuth hijacking
- Persistence: Impersonate the administrator, create extra OAuth
- Evasion of the defense: OAuth with elevated privileges, no MFA
- Lateral movement: Wider compromise of connected apps
- Data exfiltration: Take privileged and sensitive data from apps
Breaking the SaaS kill chain
An effective way to break the kill chain early is through continuous monitoring, granular policy enforcement, and proactive lifecycle management in SaaS environments. A SaaS Security Posture Management (SSPM) platform like AppOmni can help detect and send alerts on:
- Initial login: Default rules to detect credential compromise, including password spraying, brute force attacks, and unenforced MFA policies
- Persistence: Scan and identify OAuth permissions and detect OAuth hijacking
- Evasion of the defense: Checks access policies, detects whether a new identity provider (IdP) has been created, detects permission changes.
- Lateral movement: Monitor logins and privileged access, detect toxic combinations, and understand the reach of a potentially compromised account
Note: This expert-provided article was written by Beverly Nevalga, AppOmni.