AO Labs Notes An Over 300% Increase in SaaS Attacks


By Brian Soby, CTO and Co-Founder, AppOmni

AppOmni Labs, the dedicated SaaS threat detection unit of AppOmni, has noted an upward trend in threat activity on Salesforce Community Sites, in addition to other leading SaaS apps.  

The upward trend in SaaS-related threat activity was first noted on March 21st of this year and has since been steadily increasing. 

The recent article by Brian Krebs titled “Many Public Salesforce Sites are Leaking Private Data,” has drawn considerable attention to the high prevalence of public data exposures in misconfigured Salesforce instances. 

AO Labs has noted an over 300% increase in threat-related activity for AppOmni customers in the AppOmni Threat Detection console, coinciding with the recent Krebs on Security post. Reports from today (5/5/2023) stand out in particular and indicate unknown threat actors appear to be running published exploit code against a very large number of Salesforce instances.

SFDC Threat Activity in the AppOmni Threat Detection Console

SFDC Threat Activity in AppOmni Threat Detection Console

 AppOmni’s Chief Product Officer Harold Byun notes: “Since the publication by Brian Krebs in late April, we have seen a significant spike in the number of scans and active alerts across thousands of Salesforce instances.”

AppOmni customers can actively monitor their Salesforce environments using AppOmni threat detection for the presence of Aura reconnaissance threat alerts and additional exploits, specifically targeting these types of data exposures.

AppOmni has been assisting customers affected by these data leakage gaps and has a dedicated group of threat researchers and client success teams available to help with remediation. The company also has a free data leakage detection scanner available to the general public to assess their SaaS environments.

This increase in SaaS threat-related activity is part of a broader trend that sees B2B SaaS providers being targeted in well orchestrated campaigns by threat actors. The targeting can in part be explained by the significant size in attack surface that these SaaS services providers represent, delivering SaaS services at scale, to thousands of customer organizations, across numerous industry verticals. 

The growing incidence of SaaS attacks are also due to the fact that only a minority or organizations are actively prioritizing SaaS security from a risk-based perspective. Such an approach recognizes SaaS as part of the critical IT infrastructure, given the extent of sensitive data and workflows hosted by these apps.

Only by leveraging a SaaS Security Posture Management solution like AppOmni can organizations establish the necessary observability into SaaS cyber risks.  

SaaS Threat Vectors

Focusing specifically on Salesforce Community Sites used by thousands of organizations, AppOmni Labs notes that the common threat vectors that are being targeted by threat actors center on exploiting customer-side misconfigurations. 

The likely end-goal of the threat actors is to compromise and/or steal data for financial gain. 

Commonly exploited Salesforce attack vectors include:

  • Excessive Guest User permission sets 
  • Excessive object and field permissions
  • Lack of multi-factor authentication enforcement
  • Inappropriately stored secrets
  • Overprivileged access to classified data
  • Over-provisioned or stale SaaS-to-SaaS connections 

SaaS in the Crosshairs

The increased attention on SaaS is part of a broader uptick in cybercrime across the board. The FBI notes a 49% increase in cybercrime related damages over the past 12 months, totaling $10.3 billion in 2022. 

Social engineering attacks and exploitation of human error (e.g. misconfigurations) are the leading threat vectors that result in data breaches. 

Attacks on SaaS are likely to increase. This is due to the current and expected prominence of SaaS in the enterprise only increasing over the medium-to-long term. We at AppOmni call for the prioritization of SaaS by adopting a risk-based approach to SaaS security.

The SaaS Security Imperative

Without a purpose-built SaaS security solution like AppOmni to address this growing attack surface risk, threat actors will continue to find and exploit SaaS data exposure risk across a number of enterprise SaaS applications, with Salesforce being one of them.

Salesforce customers should confirm that their SSPM or XDR solution can detect when they become victim to these exploit attempts. Of course, the best scenario is that customers have monitoring in place to guarantee that their Salesforce and other SaaS instances are properly configured and are not leaking data that would be subject to exploitation.

AppOmni was founded to address this SaaS security risk. As the leader in SaaS security and a top choice for Fortune 500 clients, AppOmni is on a mission to create a safer SaaS world.

See why some of the leading enterprises in the world have chosen AppOmni as their SaaS security solution of choice. Schedule a demo today. 

Related Resources