How SSO and SaaS Make Spear-phishing Attacks More Dangerous

Written by Varonis

If you watch in real-time the actual tools that hackers use to compromise services and leverage that access to devastating purpose much of the theoretical questions of “Could we really get hit by an attack?” and “How bad could it really be?” fly out the window.

Reality hits particularly hard with the now widespread adoption of Single Sign-On (SSO) systems and the consolidation of SaaS access they provide.

While Single Sign-On systems are a net positive for organizations (they offer both a better security experience for users and better enforcement of security controls like multi-factor and password requirements). Their centralization of authentication functions across disparate SAAS services, internal directories, operating systems, and devices comes at a price, namely that it massively increases the amount of damage and data compromise that an attacker could achieve if they were able to successfully compromise an administrative account.

To help better ground this we’ve prepared the following scenario which walks through both;

• The tools an attacker could use to fool even a wary sysadmin
• How even with the controls to prevent an admin from gaining access to sensitive data how further accounts could be compromised widening the attack.

Phase 1: Spear Phishing

While phishing as a general attack has been around for years, the sophistication of phishing tools and the automation and polish that they have now puts them in another category of threat.

The EvilJinx phishing suite will launch an extremely high fidelity recreation of an Okta log-in page which captures the entered credentials, fakes an MFA response, and then captures the session token returned.

Using a tool like the ‘Cookie Editor’ extension an attacker can then insert the session token into their own session as if they had logged in themselves.

Phase 2: Executive Account Compromise

While just this much access is tremendously concerning and a huge issue, it gets much worse as the attacker can now modify the account linked emails of additional users in Okta to their own address allowing them full access to the linked SaaS application.

For each linked SaaS service the attacker can:

• Export a list of users
• Identify high value targets like executives
• Change their associated emails to gain access to their accounts
• Modify the underlying permissions of the data to allow for easy exfiltration of the data

In the screenshot above we’re showing how an attacker might modify the root permissions of a shared Google Drive to allow for full access from a dummy account.

Want to see this in more detail?

We’ve recorded a more detailed version of this attack scenario at https://www.brighttalk.com/webcast/10415/512789?utm_source=Varonis which goes into detail of both exactly how the attacks are launched, but also what steps you can take to identify the attacker’s activity and kill their attempts.