Report Surfaces Potential Russia-China Cyberattack Collusion
SaaS Alerts, a provider of a platform that managed service providers (MSPs) employ to secure software-as-a-service (SaaS) applications, published a report today that suggests a significant level of collusion occurring among cyberattacks being launched from within Russia and China.
The report is based on an analysis of approximately 136 million SaaS security events across a global base of 2,100 small and medium businesses (SMBs) spanning more than 120,000 user accounts.
SaaS Alerts CEO Jim Lippie said attack trend lines involving attacks from Russia and China show almost the exact same pattern. In contrast, juxtaposed against a chart of attacks emanating from Germany, indicates a pattern that isn’t even roughly similar, he noted.
Overall, the similarity in attack patterns suggests that as Russia and China become more politically aligned, the two superpowers shared cybersecurity intelligence to optimize attacks.
The report also noted that, on average, SaaS Alerts is seeing approximately 10,000 brute force attacks per day against the user accounts it monitors. The company tracks user locations outside of previously approved location, account credentials that have been used to connect to a third-party application and accounts that are locked four or more times within a 12-hour period.
Lippie said guest user accounts are one of the simplest and most regularly exploited SaaS vulnerabilities. A full 42% of the more than 129,000 monitored SaaS accounts are guest user accounts that, once created, many organizations forget to turn off, he noted.
Finally, it details a threat vector around risky file-sharing behavior, with 19% of file-sharing activity via the cloud involving external sources versus internal file-sharing. Over the last year, SaaS Alerts reported approximately 440 files are shared per hour by SMBs.
In general, Lippie noted that many SaaS application events are considered low-level in terms of potential severity. Cybercriminals, however, often find the simplest way to compromise an entire IT environment is to inject malware into files via a SaaS application.
Organizations should also be aware of all the third-party applications using the OAuth protocol to provide access to multiple applications, noted Lippie. A bad actor may register an account with the OAuth provider using the same details as a target user, such as their known email address. Client applications may then allow a cybercriminal to sign in via an OAuth provider using a fraudulent account.
Many end users assume that their data is secure because an application is being maintained by a third-party. However, just like any other cloud service, the responsibility for securing SaaS applications is shared. Once credentials are compromised, a cybercriminal not only gains access to all the data in that application but also can start to distribute malware via those applications.
As the number of SaaS applications being used exponentially increases, the ability of cybersecurity professionals to keep pace with securing those applications is sorely tested. Those concerns, however, are not likely to reduce reliance on those SaaS applications any time soon.
