(L-R) FireEye CEO Kevin Mandia, SolarWinds CEO Sudhakar Ramakrishna and Microsoft President Brad Smith testify during a Senate Intelligence Committee hearing on Capitol Hill on February 23, 2021 in Washington, DC. The hearing focused on the 2020 cyberattack that resulted in a series of data breaches within several agencies and departments in the U.S. federal government. (Photo by Drew Angerer/Getty Images)We often hear the term lateral movement in the course of an attack. It’s used in relation to threat actors leveraging the stolen credentials of one asset and using them on another to authenticate and propagate their attack. Once they do, they can navigate laterally through a network, hypervisor, or other technology to another resource.Lateral movement lets the threat actors expand their coverage area into an environment and compromise more resources as they conduct their mission. However, lateral movement does not always require that credentials get compromised. In fact, lateral movement can occur through vulnerability and exploit combinations, misconfigurations, and most importantly, through files and resources shared by assets on-premises or in the cloud. This attack vector has been relatively unexplored, but has been shown in the SolarWinds case that attackers use auto-updates as vehicles for lateral movement. So how big are these risks, and what can security teams do to ensure that the company’s SaaS applications are not leveraged against them?First, let’s explore lateral movement in a SaaS application. There are two primary attack vectors to consider:
Movement within the platform jumping from user to user.
Interaction with the platform to end-user or on-premises devices.
Attackers find movement from user to user difficult within a secure SaaS platform unless the threat actor knows the credentials for another user or the application, or it has been poorly configured to allow impersonation of another user. However, resources that are shared between users can allow for lateral movement. Consider a SaaS application that allows file uploads or embedded hyperlinks. If the files or URL’s are not properly vetted for malware, the threat actor can post content that an unsuspecting user may open in a browser or downloaded. A single threat actor who has access to a SaaS application could theoretically upload a malicious document that’s frequently used and infect a large client base before discovery. Or, a URL gets embedded in a frequent link that was innocuous when posted, but altered after hosting some malicious intent. The results are the same, movement between users in a SaaS application can occur via shared resources in the application and a malicious or hijacked user can enable a vehicle to compromise other users. And since there are no perfect anti-malware solutions, the more advanced the threat, the more likely this type of scenario could succeed.Next, consider the interaction between a SaaS application and remote assets. As we have seen with the SolarWinds incident, a compromise in the supply chain allowed the auto-update services for Orion to contain malicious code that was delivered to SolarWinds clients. Essentially, any downloads from a cloud-based service could impact a remote device whether the intent was malicious or not.Unfortunately, we have seen this several times throughout the years with bad ant-virus signatures that caused inappropriate file deletions, poor performance, or even system outages (i.e. blue screen of death). With the knowledge that a service in the cloud or SaaS application that downloads and executes code on a remote device could pose a threat, the potential for a supply chain attack, SaaS hijacking, or even poorly crafted update that was missed in quality control practices could impact an environment.And, if the update contains malicious code, then the peer-to-peer lateral movement begins to expand to all systems in scope. The SaaS application becomes the unwitting delivery mechanism of malware or unwarranted configuration changes that allow a threat actor to engage lateral movement. Today, this has become primarily a supply chain issue, but SaaS hijacking is real and recently was attributed to the shutdown of a the LiveCoin cryptocurrency. Everything from back-end servers to social media was compromised and the cryptocurrency ground to a halt.To combat both of these threats, change control can verify all updates and as a security best practice, all SaaS solutions should have MFA enabled for all users. Don’t rely on single-factor authentication, it’s just not acceptable considering the modern attack vectors we have seen used to compromise credentials.Finally, maintaining an identity-centric security approach with privileged access management can also solve many of these problems. This includes ensuring all identities for humans and non-humans are as unique as possible, applications are implemented using least privilege principles, and secrets like passwords and keys are never reused. This helps ensure that if a SaaS application does manage to infect the company’s assets, other accounts and privileges cannot be used by traditional lateral movement techniques.Lateral movement no longer runs asset-to-asset and device-to-device. The bad guys can use techniques in the cloud from files, URL’s, and updates to initiate an attack. Organizations must remain mindful of the security of their cloud solutions and most importantly, ensure the identities that have access have the appropriate privileges and permissions to mitigate platforms from being used in an advanced attack.Morey Haber, CTO and CISO, BeyondTrust
An In-Depth Guide to Cloud Security
Get essential knowledge and practical strategies to fortify your cloud security.
As the Chief Security Advisor at BeyondTrust, Morey J. Haber is the lead identity and technical evangelist at the company. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. Morey has previously served as BeyondTrust’s Chief Security Officer, Chief Technology Officer, and Vice President of Product Management during his 12-year tenure. In 2020, Morey was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board, assisting the corporate community with identity security best practices.
Security Affairs reports that leading U.S. cryptocurrency exchange Coinbase had data from 69,461 individuals confirmed to be compromised following a cyberattack, which was previously disclosed to have involved bribes to its overseas customer service support agents.
Massachusetts teen Matthew Lane has admitted guilt over his involvement in the massive attack against online education software provider PowerSchool in December, according to NBC News.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
