SaaS Alerts, a cybersecurity company delivering an automated software-as-a-service (SaaS) security platform designed to detect and stop unauthorised activity in customer SaaS applications, announced the findings of its latest SaaS Application Security Insights (SASI) Report that shows there is a massive opportunity for MSPs to help their small and mid-market business clients.
The 2024 SASI report analysed SaaS application security records of more than 18,000 SMBs and nearly two million end-user accounts last year. According to the report, SaaS security experts described a year of evolving cybersecurity threats where hackers concentrated on brute-force attacks, as well as developed new, more efficient techniques for breaching systems, such as token hijacking, PhaaS, and IP address localisation.
Findings in the 2023 SASI Report
Most alarming is the continued low adoption of MFA among MSPs’ clients
Most alarming is the continued low adoption of multi-factor authentication (MFA) among MSPs’ customers. Among the end-user accounts included in the 2024 report, only 35% enabled MFA, a slight 3% increase over the findings in the 2023 SASI Report. This threat is exacerbated by the fact that more users are using OAuth to log into other SaaS applications with their same Microsoft 365 or Google Workspace credentials.
The report also revealed a 75% increase in guest user accounts. Guest user accounts are created on the fly when sharing documents externally and are often left dormant and unmonitored. Because most guest user accounts are granted the same permissions as internal staff accounts, companies increase their exposure to data breaches and exfiltration.
Greater IT budgets
“There’s a promise of greater IT budgets and increased use of cloud applications in 2024, which is great news for MSPs. But it’s also a gift for cybercriminals who see the potential for broader and more unsecured attack surfaces,” said Jim Lippie, co-founder and CEO of SaaS Alerts.
“The rules are changing, and MSPs need to keep up. To protect their customers in this new environment, they’ll need greater visibility into user behaviour, login and geolocation data, and potential weak points.”
Global sources continue to dominate threats
Attempted unauthorised logins continue to rise in China, India, South Korea, Brazil, and Russia
Attempted unauthorised logins continue to rise in China, India, South Korea, Brazil, and Russia, accounting for 57% of the attempted intrusions last year combined. As U.S.-China tensions escalate, cyberattacks will likely follow.
While many of these attempted attacks are geared toward industrial espionage, China is also ramping up attacks on U.S. infrastructure networks. Similar efforts from Russia are also expected to increase.
Increase in SaaS applications
Microsoft 365 and Google Workspace were the most widely used SaaS applications in the dataset, so they naturally were the most active sources of critical alerts last year. However, only about 1% of alerts from M365 and Google required immediate attention. Meanwhile, Slack was more problematic, with 12% of related alerts identified as critical. That was an almost nine-point jump from Slack’s critical alerts ratio of 3.77% last year.
SaaS Alerts’ research has shown that attack tools have been actively created for over 50 distinct SaaS applications, including both business and consumer applications. “The increase in SaaS applications being targeted should serve as a warning to MSPs,” said Lippie. “When it comes to protecting your clients, SaaS security needs to move beyond M365 and Google.”
Common high-severity threats
Most of those events (97.5%) were low severity, leaving 60 million medium-severity and critical events to address
In 2023, SaaS Alerts monitored more than 2.5 billion SaaS events. Most of those events (97.5%) were low severity, leaving more than 60 million medium-severity and critical events to address. The most common high-severity threats included successful logins from outside approved locations, and files opened or downloaded outside an approved location.
“Alerts warn MSPs that something is happening that needs attention. When stacked together, they are indicators of compromise. Without proper monitoring in place, breaches can go undetected for months,” said Lippie. “SaaS Alerts stopped nearly 7,900 potential breaches last year using our automated Respond module. With Respond, bad actors can be blocked within five to 15 minutes of receiving data from Microsoft.”
Hackers changing tactics
In addition to traditional brute-force attacks, the report warns MSPs to be prepared for increased attacks with these methods:
- PhaaS, where hackers provide a list of email addresses with messages and logos of the companies they’re trying to impersonate to a PhaaS platform. The hacking software sets up a virtual server and runs the hack on autopilot. The program then sends back the stolen credentials.
- Token hijacking, which allows hackers to bypass MFA and Conditional Access, happens when bad actors set up a server between the end-user’s login screen and the SaaS service being logged into, such as M365, and allows them to intercept a user’s access token to then access the end-user’s account.
- IP address localisation allows hackers to get around geolocation fencing by localising their IP addresses to bypass foreign login flags.
Identify potential threats
To protect themselves and their customers from these attacks, MSPs should continue regular education to help customers identify potential threats and proactively monitor accounts for suspicious activities before they lead to extensive data exfiltration or loss. Other steps recommended in the report include:
- Enable and enforce MFA, both internally and with all clients.
- Track file-sharing activity to identify data exfiltration and internal threats.
- Store and regularly review historical user-behavior data, even if it didn’t lead to a breach.
- Promptly investigate and respond to unusual user behaviour that presents a potential threat.
- Monitor OAuth logins and don’t ignore other SaaS applications just because they’re not Microsoft or Google.