In the last week of March, three major tech companies — Microsoft, Okta, and HubSpot — reported major data breaches. DEV-0537, also known as LAPSUS$, ran the first two. This highly sophisticated group uses advanced attack vectors with great success. Meanwhile, the group behind HubSpot’s breach has not been disclosed. This blog will review the three breaches based on publicly disclosed information and suggest best practices to minimize the risk of such attacks succeeding against your organization.
HubSpot – Employee Access
On March 21, 2022, HubSpot reported the breach which happened on March 18. Malicious actors compromised a HubSpot employee account that the employee was using for customer support. This allowed malicious actors to access contact data and export it using employee access to multiple HubSpot accounts.
With little information about this breach, defending against an attack is difficult, but a key configuration in HubSpot can help. It’s the “HubSpot Employee Access” control (shown in the figure below) in HubSpot’s account settings. Customers should turn this setting off at all times, unless they need specific assistance, and then turn it off immediately after completing the service call.
A similar setting appears in other SaaS applications and should be disabled there as well. Employee access is typically recorded in audit logs, which should be reviewed regularly.
Okta – Lack of Device Security for Privileged Users
Okta outsources part of its customer support to the Sitel Group. On January 21, a member of Okta’s security team received an alert that a new MFA factor had been added to a Sitel Group employee’s account from a new location.
An investigation revealed that a Sitel support engineer’s computer had been compromised using a remote desktop protocol. This known vulnerability is normally disabled unless specifically needed, which helped Okta investigators narrow the attack timeframe to a five-day window between January 16 and January 21, 2022.
Due to the limited access support engineers have to their system, the impact to Okta customers has been minimal. Support engineers do not have access to create or delete users or upload customer databases. Their access to customer data is also quite limited.
On March 22, DEV-0537, more commonly known as LAPSUS$, shared screenshots online. In response, Okta released a statement saying, “there is no corrective action for our customers to take.” The next day the company shared the details of his investigationwhich included a detailed response timeline.
Although this flaw was limited in the damage it caused, it offers three important security lessons.
- Device Security to SaaS – Securing a SaaS environment is not enough when it comes to protecting against a breach. Securing the devices used by highly privileged users is of paramount importance. Organizations should review their list of high-privileged users and ensure their devices are secure. This can limit the damage of a breach through the attack vector Okta faced.
- MFA – It was the addition of MFA that allowed Okta security to discover the flaw. Single sign-on doesn’t go far enough, and organizations that take SaaS security seriously need to include MFA security measures as well.
- Event Monitoring – The Okta flaw was discovered when security personnel saw an unexpected change in the event monitoring log. Investigating events such as MFA changes, password reset, suspicious logins, etc., is essential for SaaS security and should be done daily.
To see Cloudflare’s investigation of the January 2022 Okta Compromise for a good example of a response to such a violation.
Microsoft – MFA for all privileged users
On March 22, Microsoft Security shared information regarding an attack suffered by DEV-0537. Microsoft had only one compromised account, which resulted in the source code being stolen and released.
Microsoft assured its users that the LAPSUS$ attack did not compromise any of their information and further stated that there is no risk to any of their products due to the stolen code.
Microsoft did not specifically share how the breach was carried out, although it did alert readers that LAPSUS$ is actively recruiting employees in telecommunications, major software developers, call centers and other industries to share credentials.
The company also offered these suggestions to secure the platforms against these attacks.
- Strengthening the implementation of the MFA – MFA gaps are a key attack vector. Organizations should require MFA options, limiting SMS and email as much as possible, such as with Authenticator or FIDO tokens.
- Require healthy and reliable terminals – Organizations should continuously assess device security. Ensure that devices accessing SaaS platforms adhere to their security policies by enforcing secure device configurations with a low vulnerability risk score.
- Take advantage of modern authentication options for VPNs – VPN authentication should take advantage of modern authentication options such as OAuth or SAML.
- Strengthen and monitor your cloud security posture – Organizations should, at a minimum, set conditional access for users and session risk configurations, require MFA, and block high-risk logins.
For a full list of Microsoft recommendations, see this Remark.
Securing SaaS platforms is a major challenge, and as we’ve seen this week, even global enterprises need to stay on top of their security. Malicious actors continue to evolve and improve their attack methods, which requires organizations to be constantly on the lookout and prioritize their SaaS security.
Strong passwords and SSO solutions are no longer enough on their own. Businesses need advanced security measures, such as strong MFA, IP allow lists, and blocking unnecessary access from help desk technicians. An automated solution such as SaaS Security Posture Management (SSPM) can help security teams master these issues.
Another takeaway from these attacks is the importance of device security in SaaS. Even a fully secure SaaS platform can be compromised when a privileged user accesses a SaaS application from a compromised device. Leverage a security solution that combines device security posture with SaaS security posture for complete end-to-end protection.
The challenge of securing SaaS solutions is complex and more than tedious to overcome manually. SSPM solutions, such as Adaptive Shield, can provide automated SaaS security posture management, including configuration control, endpoint posture management, and third-party application control.
Note – This article is written and contributed by Hananel Livneh, Senior Product Analyst at Adaptive Shield.