The Midnight Blizzard and Cloudflare-Atlassian cybersecurity incidents raised alarms about the vulnerabilities inherent in major SaaS platforms. These incidents illustrate the stakes involved in SaaS breaches — safeguarding the integrity of SaaS apps and their sensitive data is critical but is not easy. Common threat vectors such as sophisticated spear-phishing, misconfigurations and vulnerabilities in third-party app integrations demonstrate the complex security challenges facing IT systems.
In the case of Midnight Blizzard, password spraying against a test environment was the initial attack vector. For Cloudflare-Atlassian, threat actors initiated the attack via compromised OAuth tokens from a prior breach at Okta, a SaaS identity security provider.
What Exactly Happened?
Microsoft Midnight Blizzard Breach
Microsoft was targeted by the Russian “Midnight Blizzard” hackers (also known as Nobelium, APT29, or Cozy Bear) who are linked to the SVR, the Kremlin’s foreign intelligence service unit.
In the Microsoft breach, the threat actors:
- Used a password spray strategy on a legacy account and historic test accounts that did not have multi-factor authentication (MFA) enabled. According to Microsoft, the threat actors “[used] a low number of attempts to evade detection and avoid account blocks based on the volume of failures.”
- Leveraged the compromised legacy account as an initial entry point to then hijack a legacy test OAuth app. This legacy OAuth app had high-level permissions to access Microsoft’s corporate environment.
- Created malicious OAuth apps by exploiting the legacy OAuth app’s permissions. Because the threat actors controlled the legacy OAuth app, they could maintain access to the applications even if they lost access to the initially compromised account.
- Granted admin Exchange permissions and admin credentials to themselves.
- Escalated privileges from OAuth to a new user, which they controlled.
- Consented to the malicious OAuth applications using their newly created user account.
- Escalated the legacy application’s access further by granting it full access to M365 Exchange Online mailboxes. With this access, Midnight Blizzard could view M365 email accounts belonging to senior staff members and exfiltrate corporate emails and attachments.
Recreation of illustration by Amitai Cohen |
Cloudflare-Atlassian Breach
On Thanksgiving Day, November 23, 2023, Cloudflare’s Atlassian systems were also compromised by a nation-state attack.
- This breach, which started on November 15, 2023, was made possible through the use of compromised credentials that had not been changed following a previous breach at Okta in October 2023.
- Attackers accessed Cloudflare’s internal wiki and bug database, enabling them to view 120 code repositories in Cloudflare’s Atlassian instance.
- 76 source code repositories related to key operational technologies were potentially exfiltrated.
- Cloudflare detected the threat actor on November 23 because the threat actor connected a Smartsheet service account to an admin group in Atlassian.
Can Your Security Team Monitor 3rd Party Apps? 60% of Teams Can’t
Think your SaaS security is top-notch? Appomni surveyed over 600 global security practitioners, and 79% of professionals felt the same – yet they faced cybersecurity incidents! Dive into the insights of the AppOmni 2023 Report.
Learn How You Can
Threat Actors Increasingly Target SaaS
These breaches are part of a broader pattern of nation-state actors targeting SaaS service providers, including but not limited to espionage and intelligence gathering. Midnight Blizzard previously engaged in significant cyber operations, including the 2021 SolarWinds attack.
These incidents underscore the importance of continuous monitoring of your SaaS environments and the ongoing risk posed by sophisticated cyber adversaries targeting critical infrastructure and operational tech stack. They also highlight significant vulnerabilities related to SaaS identity management and the necessity for stringent 3rd-party app risk management practices.
Attackers use common tactics, techniques and procedures (TTPs) to breach SaaS providers through the following kill chain:
- Initial access: Password spray, hijacking OAuth
- Persistence: Impersonates admin, creates extra OAuth
- Defense Evasion: Highly privileged OAuth, no MFA
- Lateral Movement: Broader compromise of connected apps
- Data Exfiltration: Grab privileged and sensitive data out of apps
Breaking the SaaS Kill Chain
One effective way to break the kill chain early is with continuous monitoring, granular policy enforcement, and proactive lifecycle management over your SaaS environments. A SaaS Security Posture Management (SSPM) platform like AppOmni can help with detecting and alerting on:
- Initial Access: Out-of-the-box rules to detect credential compromise, including password spraying, brute force attacks, and unenforced MFA policies
- Persistence: Scan and identify OAuth permissions and detect OAuth hijacking
- Defense Evasion: Access policy checks, detect if a new identity provider (IdP) is created, detect permission changes.
- Lateral Movement: Monitor logins and privileged access, detect toxic combinations, and understand the blast radius of a potentially compromised account
Note: This expertly contributed article is written by Beverly Nevalga, AppOmni.