Page 135 - Cyber Defense eMagazine January 2024
P. 135
Identity Providers Are Still the Bullseye for Cloud Attacks
Okta, Microsoft Entra ID (Azure AD) and JumpCloud all experienced breaches in 2023, with Okta perhaps
suffering the brunt of customer exposure. Identity providers, while offering convenience of centralized
authentication, have proven to be a security risk to many organizations. If a threat actor gains access to
a victim’s IdP instance, the impact is multi-casted because of the access they now have to all of the
applications that SSO through that IdP. If Okta themselves get breached, this multi-cast is magnified
exponentially as the threat actor can now potentially access all of Okta’s customer environments. Adding
to this risk is the increasing reliance on third-parties and outsourced technical support teams for core
help desk services. Threat actors have found these organizations as prime targets to attack their
downstream customer base and play a significant role in the increased risk associated with the cloud
supply chain.
SaaS Providers Are Going to be Heavily Targeted in 2024
SaaS providers that have delegated access into customer environments via role assumption or persistent
keys will see an increase in targeted attacks. Threat actors will continue to focus on cloud supply chain
compromise to target downstream customers of those vendors. Similar to what we witnessed in Okta,
other, non-IdP SaaS vendors present similar risks in the cloud’s supply chain. By compromising the
vendor itself, threat actors can access all of the customer tenants they are managing in the environment.
If a threat actor were able to gain access to Github’s platform, for instance, they could have access to
code signing certificates for the millions of customers that use it. If they were to compromise Jira, this
could lead to the compromise of sensitive data of hundreds of thousands of companies. Many SaaS
infrastructure tools rely on access delegation, where the vendor is provided a credential within the
customer environment which they can assume externally. In an instance where a threat actor was able
to compromise one of these SaaS providers, they would gain access to those credentials, in the SaaS
providers’ customer environments. These cloud SaaS vendors not only have tens of thousands of
customers that would be impacted downstream, but they are historically overprivileged. The P0 labs team
has found that more than 90% of the privileges granted to these vendors go unused, and attackers love
nothing more than overprivileged accounts and identities. The stakes are high in SaaS.
Could A Major Cloud Service Provider Get Compromised?
If we think about the supply chain in the cloud, there are perhaps no greater stakes than the cloud service
providers like AWS, Azure and GCP. While these providers invest heavily in staff and tooling to secure
their platforms, they can be just as vulnerable to the risk that lies in support entities and third-party
contractors. It’s clear that threat groups are no longer interested in the diminishing returns of activities
like crypto mining. Compromising a victim’s identity provider, SaaS applications or CI/CD instances allow
threat actors to gain access to sensitive, valuable data in as little time as possible. If they’re able to
compromise cloud vendors themselves, the supply chain impact would be disastrous. If they can
compromise the cloud service providers themselves, the downstream impact would be catastrophic.
Cyber Defense eMagazine – January 2024 Edition 135
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
