(L-R) FireEye CEO Kevin Mandia, SolarWinds CEO Sudhakar Ramakrishna and Microsoft President Brad Smith testify during a Senate Intelligence Committee hearing on Capitol Hill on February 23, 2021 in Washington, DC. The hearing focused on the 2020 cyberattack that resulted in a series of data breaches within several agencies and departments in the U.S. federal government. (Photo by Drew Angerer/Getty Images)

We often hear the term lateral movement in the course of an attack. It’s used in relation to threat actors leveraging the stolen credentials of one asset and using them on another to authenticate and propagate their attack. Once they do, they can navigate laterally through a network, hypervisor, or other technology to another resource.

Lateral movement lets the threat actors expand their coverage area into an environment and compromise more resources as they conduct their mission. However, lateral movement does not always require that credentials get compromised. In fact, lateral movement can occur through vulnerability and exploit combinations, misconfigurations, and most importantly, through files and resources shared by assets on-premises or in the cloud. This attack vector has been relatively unexplored, but has been shown in the SolarWinds case that attackers use auto-updates as vehicles for lateral movement. So how big are these risks, and what can security teams do to ensure that the company’s SaaS applications are not leveraged against them?

First, let’s explore lateral movement in a SaaS application. There are two primary attack vectors to consider:

  • Movement within the platform jumping from user to user.
  • Interaction with the platform to end-user or on-premises devices.

Attackers find movement from user to user difficult within a secure SaaS platform unless the threat actor knows the credentials for another user or the application, or it has been poorly configured to allow impersonation of another user. However, resources that are shared between users can allow for lateral movement. Consider a SaaS application that allows file uploads or embedded hyperlinks. If the files or URL’s are not properly vetted for malware, the threat actor can post content that an unsuspecting user may open in a browser or downloaded. A single threat actor who has access to a SaaS application could theoretically upload a malicious document that’s frequently used and infect a large client base before discovery. Or, a URL gets embedded in a frequent link that was innocuous when posted, but altered after hosting some malicious intent. The results are the same, movement between users in a SaaS application can occur via shared resources in the application and a malicious or hijacked user can enable a vehicle to compromise other users. And since there are no perfect anti-malware solutions, the more advanced the threat, the more likely this type of scenario could succeed.

Next, consider the interaction between a SaaS application and remote assets. As we have seen with the SolarWinds incident, a compromise in the supply chain allowed the auto-update services for Orion to contain malicious code that was delivered to SolarWinds clients. Essentially, any downloads from a cloud-based service could impact a remote device whether the intent was malicious or not.

Unfortunately, we have seen this several times throughout the years with bad ant-virus signatures that caused inappropriate file deletions, poor performance, or even system outages (i.e. blue screen of death). With the knowledge that a service in the cloud or SaaS application that downloads and executes code on a remote device could pose a threat, the potential for a supply chain attack, SaaS hijacking, or even poorly crafted update that was missed in quality control practices could impact an environment.

And, if the update contains malicious code, then the peer-to-peer lateral movement begins to expand to all systems in scope. The SaaS application becomes the unwitting delivery mechanism of malware or unwarranted configuration changes that allow a threat actor to engage lateral movement. Today, this has become primarily a supply chain issue, but SaaS hijacking is real and recently was attributed to the shutdown of a the LiveCoin cryptocurrency. Everything from back-end servers to social media was compromised and the cryptocurrency ground to a halt.

To combat both of these threats, change control can verify all updates and as a security best practice, all SaaS solutions should have MFA enabled for all users. Don’t rely on single-factor authentication, it’s just not acceptable considering the modern attack vectors we have seen used to compromise credentials.

Finally, maintaining an identity-centric security approach with privileged access management can also solve many of these problems. This includes ensuring all identities for humans and non-humans are as unique as possible, applications are implemented using least privilege principles, and secrets like passwords and keys are never reused. This helps ensure that if a SaaS application does manage to infect the company’s assets, other accounts and privileges cannot be used by traditional lateral movement techniques.

Lateral movement no longer runs asset-to-asset and device-to-device. The bad guys can use techniques in the cloud from files, URL’s, and updates to initiate an attack. Organizations must remain mindful of the security of their cloud solutions and most importantly, ensure the identities that have access have the appropriate privileges and permissions to mitigate platforms from being used in an advanced attack.

Morey Haber, CTO and CISO, BeyondTrust