How Attackers Can Own a Business Without Touching the Endpoint?

How Attackers Can Own a Business Without Touching the Endpoint

How Attackers Can Own a Business Without Touching the Endpoint?

A growing percentage of attackers are employing “networkless” attack methods to target cloud applications and identities.  A threat actor can (and is) compromise enterprises in the following manner: by never touching the endpoint or traditional networked systems and services.

Prior to delving into the specifics of the employed attack techniques, it is pertinent to examine the reasons behind the increasing prevalence of these attacks.

Adoption of VAPT Solutions Frequently Can Save A Fortune!

The adoption of VAPT Solutions will certainly assist an organization to deliver fruitful end results to the architecture of enterprise networks, as well as the locations of critical business systems and data.

Presently, the majority of organizations utilize tens to hundreds of SaaS applications for various business functions. While certain organizations have completely shifted to SaaS and have no traditional infrastructure, the majority have embraced a hybrid framework wherein a combination of on-premise, cloud, and SaaS services serve as the foundation for operational business applications.  Ultimately, these SaaS solutions need to be sure by a professional cybersecurity expert who can mitigate all the available cybersecurity vulnerabilities and flaws after finding them via the high-end methods of penetration testing.

Digital identities are increasingly complicated and hard to secure

The most fundamental form of identification is a user account for a service that requires a username, email address, and password for registration. In order to mitigate the potential for unauthorized access and the administrative complexities associated with a growing account count, organizations are turning to identity providers (IdPs) for the purpose of consolidating app access under a single platform and identity. This is accomplished through the use of authentication and authorization protocols such as single sign-on (SSO) and OAuth.

The specific composition of an identity can differ considerably. It is feasible to utilize various authentication mechanisms for a single account, depending on the application. These mechanisms may include SAML, social logins (OIDC), username and password, and more. SAML necessitates prior configuration by administrators for a specific app tenant, whereas users can enroll in an application via OIDC by utilizing the “sign in with Google” function.

Effectively, this results in the creation of multiple identities associated with a single account, which can cause considerable confusion and complexity; for instance, the app/account can still be accessed via one of the other login methods that have been established even after an IDP administrator deletes that account. This may complicate the identification of employed applications and identities within the organization.

Therefore, it is feasible to achieve a combination of the subsequent outcomes in practice:

  • On average, three identity providers are present per organization. (Okayta, Entra/Microsoft, Google, etc.)
  • Platforms for connected applications that serve as SSO servers (e.g., Atlassian Access, Adobe Creative Cloud).
  • SaaS applications that utilize distinct authorization (OAuth) and authentication (SAML, OIDC) protocols.
  • SaaS applications that utilize a local login username and password.
  • Secrets and credentials are stored in password manager and authenticator applications (which may be installed in browsers, on the local operating system, or in third-party applications).

It can become quite complicated, as the majority of organizations maintain an inventory of over 100 applications, which generates thousands of dispersed identities.

Approval for communication between apps may subsequently cause permissions and workflows in one app to influence other apps, dependent on the OAuth scopes that have been authorized for that app.

Identity serves as the cohesive element that binds this ecosystem. Existing regulations for identity protection, however, have significant limitations. Frequently, organizations believe that all of their identities and applications have implemented MFA or that all applications are SSO-enabled. In actuality, however, only one-third of applications support SSO (and many of these only at a substantial premium cost). Additionally, approximately sixty percent of unique identities (those not utilizing SSO) lack MFA registration.

As a result, substantial vulnerabilities exist in the security measures aimed at safeguarding cloud identities, despite the increasing prevalence of cloud applications and identities.

Attackers are targeting cloud identity vulnerabilities

An adversary is duly mindful of this. 74% of all attacks, according to Verizon’s 2024 DBIR, engaged the human element, with breached user accounts being the target of social engineering, privilege abuse, human error, or compromised credentials.

Although identity/phishing attacks have been the predominant attack vector since at least 2013, Crowdstrike’s most recent global threat report goes into greater detail, stating that 75% of access-gaining attacks were devoid of malware and that “cloud-conscious” attacks (which target cloud services intentionally rather than opportunistically to interfere with specific functionality) increased by 110%. Microsoft also reports that cloud identities are the target of roughly 4,000 password attacks per second.  Google employees have speculated that attempts to capture session cookies (and thus circumvent MFA) occur at a rate comparable to that of password-based attacks.

Beyond the numerical data, evidentiary violations that are visible to the public also support the same conclusion. Scattered Spider/0ktapus and APT29/Cozy Bear/The Dukes are threat organizations that demonstrate how attackers actively target IdP services, SaaS applications, and SSO/OAuth in order to launch high-profile attacks against companies such as Microsoft and Okta.

Cloud identities and applications are the new target of cybercriminals. As a result of the transition to cloud services, their value is equivalent to that of a conventional endpoint-based attack strategy intended to compromise a network perimeter. Identity has become, in numerous respects, the new attack surface. In contrast to alternative security boundaries such as the endpoint or network, this new perimeter poses a significantly lesser challenge in terms of the existing controls designed to defend it.

Historically, identity-based assaults were confined to the endpoint or neighboring “identity systems” such as Active Directory. The assailant intended to penetrate this perimeter in order to gain access to other areas of the organization. Identity has evolved to become a gateway to an ecosystem of cloud applications and services that are interconnected and accessed via the Internet. This has substantially altered the scale of the difficulty that security teams are now confronted with. Securing one hundred SaaS applications from credential-stuffing assaults is, in fact, considerably more difficult than protecting a solitary centralized external VPN/webmail endpoint from the past.

Cloud identities are the new perimeter

Cloud identities appear to be the forthcoming digital perimeter. Now, not in the future, is the time. The sole aspect that remains uncertain is the offensive strategies and tradecraft that will arise, as well as the industry’s reactionary measures to thwart them.

Security era Techniques of the day Industry response
2000s Traditional perimeter hacking Port scanners, vuln scanners, buffer overflows, web app attacks, WiFi hacking, client/server backdoors Firewalls, DMZs, patch management, secure coding, WPA, penetration testing
2010s Endpoint is the new perimeter Phishing, office macros, file format bugs, browser exploits, memory resident implants, C2 frameworks Endpoint hardening, EDR, SIEMS, red teaming, threat hunting
2020s Cloud identities are the new perimeter ??? ???


Informed by the endpoint-centric MITRE ATT&CK Framework, Craw Security usually offers world-class information through its blogs and articles on its Official Website.  Any person willing to update one’s information related to any form of cybersecurity attack or best practices, including Endpoint Security can seek guidance through their dedicated Telegram, WhatsApp, and YouTube Channels or even read their authentic blog posts for a deeper understanding.

Additionally, the blog post by Craw Security describes the practical applications of these methods; a summary of the most prevalent methods is provided below:

Technique Overview
AiTM phishing AiTM phishing operates by placing a web proxy between the victim and a legitimate registration portal for an application to which the victim has access via specialized software, primarily to circumvent MFA protection. By establishing a real-time proxy connection to the target login portal, an adversary gains access to a legitimate password and session data that can be pilfered and utilized to commandeer the session. A victim user will be able to view all the authentic data they would normally be able to see (e.g., their own emails/files, etc.) after logging in, as the application is merely a proxy. The likelihood of individuals discovering that their systems have been compromised is diminished as a result of the proxied application’s authentic functionality.
IM phishing Instant messaging applications such as Slack and Teams provide assailants with an excellent opportunity to circumvent more stringent email-based phishing protections surrounding malicious links and attachments. Due to the lack of user familiarity with these applications as delivery vectors for phishing attacks, the instantaneous and real-time characteristics of IM render it a viable vector for such attacks. It is possible to spoof or impersonate users via instant messaging, create a believable dialogue using bot accounts, abuse the link preview functionality, and edit messages and accounts in the past to clear your traces.
SAMLjacking SAMLjacking occurs when an assailant exploits the SAML SSO configuration settings of a SaaS tenant under their control to redirect users undergoing authentication to a malicious link of their choosing. Assuming users are anticipating to provide credentials and the original URL is a legitimate SaaS URL, this can be a highly effective deception technique. A compromised administrator account for a SaaS application may also be exploited for lateral movement by pointing the URL to a credential phishing page that resembles or proxies a legitimate authentication service (e.g., Google or Microsoft) or by modifying or enabling SAML. The adversary can then target users by sending the tenant links that appear to be legitimate and lead to the application’s login page; this operation functions as a watering hole attack.
Oktajacking Piracy can be conducted using an adversary’s own Okta tenant to execute incredibly persuasive phishing attacks. By forwarding login credentials for accounts associated with Active Directory (AD) to its own AD agent running on the target network, Okta enables this attack to succeed. Following this, Okta enables the agent to provide them with a report indicating whether the logon attempt was successful. This allows an assailant, possessing compromised or capable of emulating an AD agent, to not only observe the logon credentials of Okta users but also authenticate to Okta as any user of their choosing using skeleton keys-like functionality. It can also be utilized for lateral movement in a manner similar to SAMLjacking, with the exception that a redirect to a distinct malicious domain is not required.
Shadow workflows A shadow workflow is a method by which SaaS automation applications are utilized to execute malicious actions from a legitimate source via OAuth integrations in a manner similar to code execution. Essentially anything that is possible with the application’s API could be executed, including a daily export of files from shared cloud drives, automatic forwarding and deletion of emails, replication of instant messages, and exportation of user directories.


A Wholesome Cybersecurity Diploma Course To Enhance Your Knowledge

However, nothing quite compares to witnessing these techniques in action in order to fully comprehend their profound impact. Watch the following video featuring Mohit Yadav, a renowned cybersecurity expert and the Director-Founder of Craw Security. This video contains the following:

  • Elaborating you how would you understand the step-by-step comprehension of the 1 Year Cybersecurity Diploma.
  • The systematic subject-wise understanding of the fundamentals of cybersecurity right from scratch.
  • In order to understand things from the beginning of cybersecurity, how this course will help you in making a great career in cybersecurity, and many more things.

<YouTube Video Embedded URL>

Could you detect and respond to this attack?

Once one has observed the potential, it becomes critical to inquire whether one is capable of identifying and reacting to this particular attack scenario.

  • Could you identify the root of the AiTM phishing attempt?
  • In what number of users’ credentials would the SAMLjacking assault compromise?
  • Could you identify every backdoor in every SaaS application?
  • Alternatively, reset the Okta account’s password and MFA tokens.
  • Additionally, what about the credentials for all non-SAML applications?

The majority of organizations lack adequate protection against identity-based attacks. This is largely due to the fact that identity security controls are typically designed to protect central identity systems (such as Active Directory or Entra ID) rather than the identity infrastructure as it pertains to cloud applications and services.

Similarly, the investments made by organizations in controls are largely circumvented by these attacks. EDR tools, which are typically employed to safeguard underlying operating systems, are not significantly present in this context due to the fact that these applications are accessible through a web browser, which is progressively being touted as the new operating system. Identity protection is critical for safeguarding cloud services, as has been previously emphasized. Furthermore, endpoint security tools, IDP logs, and SaaS logs from individual apps and services fail to detect a substantial proportion of the attack chain. This includes phishing attempts in general, which include AiTM and BitB techniques designed to circumvent MFA, as well as password sharing across application and service platforms.

Currently, many organizations face significant challenges from these types of attacks due to the fact that they evade detection by conventional security tools and services.

Interested in learning more?

If you want to find out more about identity attacks in the cloud and how to stop them, check out Craw Security – you can try out their best-in-class 1 Year Cybersecurity Diploma Course in a demo session absolutely free!

To know more about anything, call now at their round-the-clock hotline number, +91-9513805401.

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space.  Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM.  Naager entered the field of content in an unusual way.  He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts.  He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field.  In the bottom line, he frequently writes for Craw Security.


After Extorting $42 Million, the Akira Ransomware Gang Now Targeting Linux Servers

Phone Hacked using Battle Royale Game, Blackmailing Done in the Name of Data Misuse

Ministry of Finance’s Big Step To Stop Cyber Fraud, Crack Down on Banking Fraud

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?