During the last week of March, three major tech companies (Microsoft, Okta, and HubSpot) reported major data breaches. DEV-0537, also known as LAPSUS$, made the first two. This highly sophisticated group uses state-of-the-art attack vectors with great success. Meanwhile, the group behind the HubSpot breach was not disclosed. This blog will review all three breaches based on publicly disclosed information and suggest best practices to minimize the risk of such attacks succeeding against your organization.
HubSpot – Employee Access
On March 21, 2022, HubSpot reported the violation what happened on March 18. Malicious actors compromised a HubSpot employee account that the employee used for customer support. This allowed malicious actors to access and export contact data using employee access to multiple HubSpot accounts.
With little information about this breach, defending against an attack is challenging, but a key setting within HubSpot can help. This is the “HubSpot Employee Access” control (shown in the figure below) in your HubSpot account settings. Customers should disable this setting at all times, unless they require specific assistance, and then disable it immediately after completing the service call.
A similar setting appears in other SaaS applications and should be disabled there as well. Employee access is typically recorded in audit logs, which should be reviewed periodically.
Okta – Lack of device security for privileged users
Okta outsources some of its customer support to Sitel Group. On January 21, a member of Okta’s security team received an alert that a new MFA factor was added to a Sitel Group employee account from a new location.
An investigation revealed that a Sitel support engineer’s computer was compromised using a remote desktop protocol. This known vulnerability is typically disabled except when specifically needed, which helped Okta researchers reduce the time frame for the attack to a five-day window between January 16 and 21, 2022.
Due to the limited access support engineers have to their system, the impact on Okta’s customers was minimal. Support engineers do not have access to create or delete users or download customer databases. Their access to customer data is also quite limited.
On March 22, DEV-0537, better known as LAPSUS$, shared screenshots online. In reply Okta issued a statement saying, “there are no corrective actions for our customers to take.” The next day the company shared details of his researchwhich included a detailed response timeline.
While this breach was limited in the damage it caused, it does offer three important security lessons.
- Security from device to SaaS – securing a SaaS environment is not enough when it comes to protecting against a breach. Protecting devices used by users with elevated privileges is of the utmost importance. Organizations should review their list of elevated users and ensure their devices are secure. This can limit the damage from a breach through the attack vector that Okta faced.
- MFA – It was the addition of MFA that allowed Okta security to discover the breach. SSO doesn’t go far enough, and organizations that are serious about SaaS security should also include MFA security measures.
- event monitoring – The Okta breach was discovered when security personnel saw an unexpected change in the event monitoring log. Reviewing events such as MFA changes, password resets, suspicious logins, and more is critical to SaaS security and should be done on a daily basis.
Watch Cloudflare investigation into the Okta compromise of January 2022 for a good example of a response to such a breach.
Microsoft – MFA for all privileged users
On March 22, Microsoft Security shared information related to an attack he suffered at the hands of DEV-0537. Microsoft had only one account compromised, resulting in the source code being stolen and published.
Microsoft assured its users that the LAPSUS$ attack did not compromise their information and further stated that there was no risk to any of its products due to the stolen code.
Microsoft did not share specifically how the breach was carried out, though it did alert readers that LAPSUS$ actively recruits employees in telecommunications, major software developers, call centers, and other industries to share credentials.
The company also offered these suggestions to secure the platforms against these attacks.
- Strengthen MFA implementation – MFA breaches are a key attack vector. Organizations should require MFA options, limiting SMS and email as much as possible, such as with Authenticator or FIDO tokens.
- Require healthy and reliable endpoints – Organizations must continually assess the security of devices. Ensure devices accessing SaaS platforms comply with your security policies by enforcing secure device configurations with a low vulnerability risk score.
- Take advantage of modern authentication options for VPNs – VPN authentication should take advantage of modern authentication options such as OAuth or SAML.
- Strengthen and monitor your cloud security posture – Organizations should, at a minimum, set conditional access for session risk settings and users, require MFA, and block high-risk logins.
For a complete list of Microsoft’s recommendations, see East Note.
Securing SaaS platforms is a significant challenge, and as seen this week, even global companies need to stay on top of their security. Malicious actors continue to evolve and improve their attack methods, forcing organizations to constantly be vigilant and prioritize their SaaS security.
Strong passwords and SSO solutions are no longer enough on their own. Businesses need advanced security measures such as strong MFA, IP Allow Lists, and blocking unnecessary access from support engineers. An automated solution like SaaS Security Posture Management (SSPM) can help security teams stay on top of these issues.
The importance of device security in SaaS is another takeaway from these attacks. Even a fully secure SaaS platform can be compromised when a privileged user accesses a SaaS application from a compromised device. Take advantage of a security solution that combines device security posture with SaaS security posture for complete end-to-end protection.
The challenge of securing SaaS solutions is complex and more than onerous to complete manually. SSPM solutions, such as Adaptive Shield, can provide automated SaaS security posture management, with configuration control, endpoint posture management, and third-party application control.
Note: Hananel Livneh, Senior Product Analyst at Adaptive Shield, wrote and contributed to this article.