Q3 Cyber Threat Report: The Ransomware Ecosystem is Increasingly Distributed
Ransomware attacks remained high in Q3 2024, with groups targeting sectors like Construction and Healthcare, often exploiting weak VPN credentials.
While the widespread adoption of cloud technologies has come with significant security benefits for small to mid-sized businesses, companies that are entirely cloud hosted or SaaS based still need defense in depth to protect their data. Corvus Claims observes that threat actors are increasingly targeting and obtaining login information for cloud environments in order to steal or encrypt (or both) data for extortion purposes.
While it is true that cloud and SaaS providers offer some level of security and protection over the data they store on behalf of a customer, it is still important for organizations to implement additional layers of protection. Specifically, what controls must a cloud based organization implement and take ownership over? Security controls like EDR, a resilient backup strategy and MFA must be top of mind to reduce overall security risk. Let’s dig into why these controls are important.
Even if an organization is entirely SaaS-based, deploying EDR on endpoints that access cloud-based resources provides a necessary additional layer of security and as we all know, security is a multi-layered approach. An endpoint can be used as an attack vehicle to compromise cloud resources which can lead to unauthorized data access or data exfiltration. EDR provides protection, visibility and control over these endpoints - which is an area that is outside of the SaaS-based environment’s visibility and control. Key reasons to deploy EDR on endpoints include:
This ensures that devices are secure, up-to-date, and compliant with security policies.
This is because the endpoints owned by an organization are outside of the SaaS environment.
Based on Corvus threat intel, threat actors are increasingly targeting session cookies from end user devices. These session cookies can be thought of as a badge that a device can show an application or website to signify that the user has already been authenticated and they do not need to re-enter their credentials. While this may be convenient for the end user, threat actors have been increasingly stealing these session cookies.
Once these session cookies are compromised, attackers can use them to gain unauthorized access to users accounts and cloud resources without having to know the users credentials (i.e. session hijacking). Typically, malicious software on the victim’s device is used to steal session cookies. This technique was most recently seen in the YouTube Accounts Hijacking attack. Malware-infected downloads on a user's device can also be used to steal credentials with keylogger spyware, which tracks and logs keystrokes as you type. This enables cybercriminals to steal credentials that a user types.
Similar to putting all your eggs in one basket - having all your data in a SaaS provider’s environment (i.e. 0365 or Google Workspace) is not a good idea. This is because it is a single point of failure which can lead to data loss in the event that there is either:
Vendor-side failure or outage; or
The environment is compromised by a threat actor (malicious file deletion, ransomware, data corruption)
In case those reasons weren’t convincing enough, Microsoft actually recommends that customers should use a third-party backup solution (Microsoft’s service agreement). Specifically they state:
“We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or data loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”
All this to say - data is still the responsibility of the customer, which includes backups. An uninfected copy of your data in cloud-hosted environments using a third-party backup solution increases the odds that your organization can fully recover from an attack. This also minimizes downtime and risk of data loss, and even Microsoft recommends this best practice approach to safeguard your organizations data.
For many organizations, data redundancy and protection is top of mind, and that sentiment still applies for SaaS-based companies. Leveraging a C2C (cloud-to-cloud) backup solution to backup your SaaS environment will allow for data redundancy and ensure that your organization has a fighting chance in the event of an attack or disruption.
Credentials are the keys to access an application or system, and this is no different in a cloud based organization. Whether it be an admin account that can modify configurations, or a regular user that can access sensitive company data - protecting initial access into resources is the first line of defense. This is where MFA becomes so important.
Rather than asking for a single password that hackers and cybercriminals can steal, MFA adds an additional layer of security to protect against account compromise. It requires the user to present a secondary authentication method to access an account. With MFA in place, if an attacker is able to steal a username and password, they will still have one more barrier to overcome.
MFA decreases the likelihood of a threat actor taking over an account - which will protect against unauthorized access, data breaches and password-based cyberattacks. Ensuring that access to your cloud hosted resources are protected with MFA will enhance the security posture of your organization and decrease the likelihood of a successful cyber attack.
Other Helpful Resources
Endpoint Detection Response (EDR)
Guide to Common Security Controls
How to implement Multi-Factor Authentication (MFA) (Microsoft)