Responding to Risks From the Russia-Ukraine War
As the Russian invasion of Ukraine continues, companies around the world are increasingly concerned with the growing threat of potential cyberattacks and retaliation. In recent weeks, Russian actors have launched an unprecedented number of cyberattacks to spread misinformation and disrupt and destroy critical infrastructure. Wiper malware hit a number of Ukrainian banking systems while various Ukrainian government agency websites were either defaced or taken offline entirely. Although many of these cyberattacks have been targeted at Ukrainian institutions, the global security community has already taken note of the increased risk of cyberthreats originating from the conflict region—and teams are on high alert.
As economic sanctions against Russia set in and weaken the Russian economy, it is likely that Russian cyberattacks will increase and both be motivated by economic gain—such as ransomware, business email compromise and spear phishing— and by retaliation. In late February, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued their “Shields Up” advisory, warning businesses to prepare for potentially disruptive cybersecurity activity in the wake of Russia’s invasion. More recently, the Biden administration released a statement warning of “evolving intelligence that the Russian Government is exploring options for potential cyberattacks” and urging “private sector partners to harden your cyber defenses immediately.”
In these times, communication and collaboration between security teams, researchers, vendors and industry leaders is absolutely imperative to ensuring critical organizations—especially those in targeted sectors—are equipped to protect themselves and respond effectively to threats.
Our team is committed to sharing the insights we gain from being a software-as-a-service (SaaS) security leader with the wider community and providing assistance to industries that need it, especially mission-critical business applications. Below are some SaaS-specific concerns for your team to be aware of and how to respond to this increased cybersecurity threat.
Cyberthreats to SaaS Applications
Attackers recognize that most organizations today entrust a wealth of their sensitive business data to their core applications and are looking for any opportunity to gain unauthorized access to these services.
CISA just recently issued an advisory regarding Russian state-sponsored activity that enabled attackers to gain network access by exploiting misconfigurations in Duo multifactor authentication (MFA). After brute-forcing entry into an inactive account, attackers would enroll one of their own devices into Duo MFA. Once authenticated to the network, attackers exploited the Windows PrintNightmare vulnerability to obtain administrative privileges, then modified a domain controller file to prevent the Duo MFA server from authenticating logins. The default MFA configurations allowed for a new device to be enrolled on a dormant account and for “fail open” behavior, meaning single-factor authentication is enabled if the MFA server is unreachable.
Attackers are also effectively bypassing MFA protocols with the interception and theft of SaaS session tokens by various methods, including phishing via a man-in-the-middle attack or purchasing stolen tokens on the dark web. With a valid session token, an attacker can interact freely with the user’s SaaS application, generating API keys, installing OAuth applications and generally going undetected by most security tools.
A few months ago, we wrote about an increase in unsophisticated phishing attacks against Workday and various other human capital management systems where attackers rerouted the direct-deposited paychecks of multiple employees. Considering the heavy international economic sanctions levied upon the Russian state, security teams should prepare for retaliatory attacks looking to maximize financial return. Security teams should have plans in place to deal with these threats and to ensure the continuity of critical business systems.
Account compromises aren’t the only concern here; larger enterprises should be wary about potential insider threats as individuals take sides. Paying close attention to abnormal behavior patterns—unusually high download/deletion volume or forwarding business emails to a personal inbox, for example—can help teams detect and mitigate potential insider threats. Security teams should also use this opportunity to consider reducing user privileges across applications, as unnecessary permissions only increase the overall risk to the organization. In addition, monitoring your third-party risk and software supply chain is critical. This is especially important in the sprawling SaaS application install base, where the interconnected web of SaaS applications, integrations and their opaque data flows increase your overall surface area and exposure to data loss and compromise.
