Security teams are familiar with threats emanating from third-party applications that employees add to improve their productivity. These apps are inherently designed to deliver functionality to users by connecting to a “hub” app, such as Salesforce, Google Workspace, or Microsoft 365. Security concerns center on the permission scopes that are granted to the third party apps, and the potential for a threat actor to take over the core apps and abuse those permissions.
There’s no real concern that the app, on its own, will start deleting files or sharing data. As such, SaaS Security Posture Management (SSPM) solutions are able to identify integrated third party applications and present their permission scopes. The security team then makes a risk assessment, balancing the benefits the app offers with its permission scopes before deciding whether to keep or decouple the applications.
However, threat actors have changed the playing field with the introduction of malicious apps. These applications add nothing of value to the hub app. They are designed to connect to a SaaS application and perform unauthorized activities with the data contained within. When these apps connect to the core SaaS stack, they request certain scopes and permissions. These permissions then allow the app the ability to read, update, create, and delete content.
Malicious applications may be new to the SaaS world, but it’s something we’ve already seen in mobile. Threat actors would create a simple flashlight app, for example, that could be downloaded through the app store. Once downloaded, these minimalistic apps would ask for absurd permission sets and then data-mine the phone.
Threat actors are using sophisticated phishing attacks to connect malicious applications to core SaaS applications. In some instances, employees are led to a legitimate-looking site, where they have the opportunity to connect an app to their SaaS.
In other instances, a typo or slightly misspelled brand name could land an employee on a malicious application’s site. From there, as Eliana V points out in this episode of SaaS Security on Tap, it is just a few clicks before the app is connected to the core SaaS app with enough permissions to carry out malicious actions.
Other threat actors are able to publish malicious applications on app stores, such as the Salesforce AppExchange. These apps may deliver functionality, but hidden deep within are malicious acts waiting to be carried out.
As in the mobile world, oftentimes malicious applications will perform the functionality they promised. However, they are in a position to strike as needed.
Dangers of Malicious Apps
There are a number of dangers posed by malicious applications. In an extreme example, they can encrypt data and stage a SaaS ransomware attack.
Data Breaches – malicious third-party apps can access sensitive employee or customer records that are stored on the SaaS app. Once accessed, the malicious app can exfiltrate data and publish it online or hold it for ransom.
System Compromise – malicious apps can use the permissions granted to them to change settings within the core SaaS application, or add new high-privilege users. Those users can then access the SaaS app at will, and launch future attacks, steal data, or disrupt operations.
Compromise Confidentiality – the malicious app may steal confidential data or trade secrets. That data can then be published online, leading to significant financial losses, reputational damage, and the potential for onerous government fines.
Compliance Violations – by accessing data within the SaaS application, the malicious app may put an organization at risk of non-compliance. This can impact relationships with partners, customers, and regulators, and potentially lead to financial penalties.
Performance Issues – malicious apps can interfere with system performance by changing access configurations for users, disabling features, and causing latency and slow-down issues.
Protecting the data stored within the SaaS app should be one of the security team’s top priorities. To do so, they require SaaS threat detection capabilities that can identify malicious applications before they damage SaaS data.
This means gaining visibility into every third-party app connected to your hub apps, their permissions, and contextual information delineating what the app does. In addition, your hub apps’ security settings should be configured to prevent malicious attacks or limit their damage. These settings include requiring admin approval to connect apps, limiting the access that third-party apps have, and only allowing apps to be integrated that come from an approved app market for the hub app.
An SSPM, like Adaptive Shield, with the interconnectivity app detection capability, connected to your full SaaS stack will detect a malicious app. With the right SSPM, you can ensure your configurations are sufficient to prevent malicious apps from taking over your hub apps. It can also trigger alerts when app permission sets are too high or use AI to uncover anomalies or other unique profile identifiers that indicate an app is malicious, enabling your security team to keep your hub apps secure.