SMB Cyberattacks Originating from Russia and China On Rise, Says SaaS Alerts Data

SaaS Alerts has uncovered that the majority of attacks on SaaS platforms such as Microsoft 365, Google Workspace, Slack and Dropbox originate from Russia and China. These findings are detailed in the company’s newly released, semiannual SaaS Application Security Insights (SASI) Report. 

The report analyzes approximately 136 million SaaS security events across 2,100 small and medium businesses (SMBs) globally. It also identifies cyber trends that are negatively impacting businesses.

The findings of the report take into account security events occurring across more than 120,000 user accounts in 2021. The data can aid providers who are managing a portfolio of SaaS applications. This will arm them with important data and trends to support defensive IT security realignments as needed, the company said.

Rise in SaaS Platforms Attacks

Over the last several weeks, SaaS Alerts has seen an uptick in activity from countries with consistently high attack levels. These are, of course, Russia and China. The significant amount of data analyzed suggests these countries may even be coordinating attack efforts. Analysis shows that attack trend lines comparing Russia and China show almost the exact same pattern.

According to the Brookings Institute, “The U.S. National Security Strategy declares Russia and China the two top threats to U.S. national security. At the best of times, U.S.-Russia ties are a mixture of cooperation and competition, but today they are largely adversarial… Russia’s increasingly close relationship with China represents an ongoing challenge for the United States. While there is little that Washington can do to draw Moscow away from Beijing, it should not pursue policies that drive the two countries closer together, such as the trade war with China and rafts of sanctions against Russia.” 

During the course of 2021, SaaS Alerts monitored more than 136 million SaaS platforms/security events. During this time, the company collected and analyzed the anonymous SaaS application security data. The idea was to identify a breakdown of cyberattacks on the most popular SaaS applications in use by SMBs today.

Key Findings of the Report

• On average, SaaS Alerts is seeing approximately 10,000 “brute force” attacks per day against the user accounts monitored by SaaS Alerts.
• Current data indicating that attempted unauthorized logins are coming from actors located in China, Vietnam, Russia, Korea and Brazil.
• Successful unauthorized logins are originating in Russia, China, Vietnam, Korea and Brazil. These are countries where an actor has successfully logged in using a valid user’s credentials.
• The report finds that the three most common critical SaaS application security alerts stem from:
  • “User Location Outside Approved Location”: an alert which is triggered when there’s a successful login to a user account from outside of an approved location or an approved IP address range.
  • “SaaS Integration”: which indicates that account credentials have been used to connect to a third-party application which may lead to data and other account information sharing between SaaS apps. Users often establish these connections for convenience without consideration to potential security violations.
  • “Multiple Account Lockouts”: recorded when an account is locked out four or more times within a 12-hour period. This often indicates that malicious actors are actively (typically programmatically) trying password combinations to gain access to the account and have succeeded in validating a correct account name.

The SMB Security Plight

SaaS Alerts’ Jim Lippie

“In the uncertain cyber climate we all reside in today, detailed SaaS security oversight and robust defenses are a requirement for ensuring high resiliency and business continuity,” said Jim Lippie, CEO, SaaS Alerts. “The loss, theft or corruption of mission-critical or sensitive customer data can be operationally and financially troublesome for SMBs that depend on continuous and unrestricted business operations to bolster revenues which have been the target of threat actors for years. We offer this useful threat level breakdown to assist businesses and the MSPs that support them with highly accurate insights about the security landscape they reside in.”

MSPs have recently become more concerned with the security management and compliance of SaaS platforms that SMBs use. Protection of both the SaaS application and data are critical and must receive SaaS-optimized security controls. Building a security-minded employee culture that centers on security controls is an absolutely must, according to SaaS Alerts. SaaS-native cyber defenses and procedural compliance can play a significant role in reducing the risk of a successful attack.