As the ecosystem of cyber security evolves on an almost month-by-month basis, there are some key trends that we suspect will be highlighted heading into 2025.
SaaS Attacks
As endpoints get locked down and more folks adopt EDRs in their environment, we are looking at quite the minefield of settings for most attackers. While you can get by with some PowerShell or simple loaders, it doesn’t seem to be long before your are at least detected on a typical endpoint. Reported trends for 2024 showed that the average lifespan of an attacker in a network dramatically decreased, and this is likely due to the overall increased visibility from products like CrowdStrike, Defender for Endpoint, and SentinelOne [Source].
What’s the best way to avoid these cutting edge systems? Is it to pay a few extra bucks at your local Dark Web implant provider? Or just not even bother altogether? At the start of 2024, a report from Wing Security detailed that the average enterprise employees was using on average 29 different SaaS applications [Source]. This has even been backed up by Hacker News reporting this month that the average number of SaaS applications used by an enterprise has reached 473 [Source]. We believe this has been a direct result of the explosion of SaaS startups with the introduction of generative AI for the average-joe. It’s simply just a lot easier to make an application now due to these resources, and people are going for it.
Some of these applications provide a wealth of capabilities, but also have a wide array of privileges. Why bother getting Domain Admin when you can exfil confidential documentation straight through an Atlassian token? Red Teamers are already picking up on this, with tools like AtlasReaper getting hundreds of stars.
In 2025, get an inventory of your applications. Figure out what’s in your environment. Discover who’s doing Shadow IT. Baseline your configurations with a tool like Adaptive Shield or start slow and steady with communications down to your team members. If you don’t discover what’s in your environment, how can you defend it?
Microsoft Graph API
It lurked in the dark for awhile, quietly keeping our OneDrives and Teams working in a semi-optimal fashion. The adoption of Teams over Slack has started to become overwhelming, and it’s a pretty safe bet for an attacker that the organization they land in is using some sort of Microsoft product [Picture below from a tweet by @TrungTPhan here].
The Graph API also offers something wonderful for attackers: it’s trusted. No matter the security stack somebody is using, everyone will trust Microsoft. This is simply a baseline truth, and any network or firewall admin will tell you it is simply impractical to block what’s not used. The Graph API let’s attackers do a number of things such as beaconing with GraphStrike or by just straight up using a stolen token and loading it into GraphSpy. After the attackers have the token, they even usually get a pretty GUI to interact with your OneDrive, Outlook, and more!
Getting these tokens is becoming much easier as well, with paths such as Device Code Flow usually enabled and allowing a path for most attackers to get easy access into the environment. There are guides on this that have been written by researchers and Red Teamers alike, such as this descriptive post by Optiv.
Extensions, Add-Ins, and Anything Convenient
While some of it has slipped under the rug, and others have had huge amounts of attention, we predict that these vectors will become at the forefront in 2025. Extensions have been uncovered as quite malicious by folks such as John Hammond, and there hasn’t been any VSCode Marketplace mitigations that have been put into place since then. Extensions aren’t under the usual suspicion by EDRs, and have been growing in popularity as attackers continue to show their hand [Source].
Add-Ins are also quite dangerous. While macros are mostly gone from your attack surface, you can still count on quite a few ways to get into your environment. Add-Ins are basically extensions written for the Office Suite of products written in .NET Framework that are, normally, used for added convenience to one of these applications. Once an attacker is within an Office process with their malicious Add-In, EDRs tend not to care. Office used to be a huge area of research when macros were in their glory days, but now there doesn’t seem to be much traffic. TrustedSec released their tool Specula, but it didn’t appear to get too much traffic, despite the sheer amount of mitigations you need to put in place to block it (seriously, go look at those reg keys and start monitoring or blocking — this tool is wicked!).
Beyond just extensions and add-ins, there are the usual suspects – namely NPM packages. Node, while convenient and easy to develop with, has been plagued by a number of supply chain attacks in the past year [Example]. Attackers will no doubt start copying others once they observe each other’s success. After all — monkey see, monkey do.
A Bit of Optimism
It really isn’t all doom and gloom. Security products are getting better every year, with most of the low-hanging fruit already plucked-off. Researchers are listened to more nowadays, especially considering the fact the SEC in the USA requires 8-K filings. Breaches are starting to impact stock prices, and that’s one way to get more budget in your enterprise’s cyber security program.
Defenders – keep looking for new stuff. Attackers – think outside the box, and stop doing the usual stuff you already have detections for. If you don’t think outside the box, then an attacker will beat you to it.
English
Pingback: Your Attack Surface Is STILL Huge - The Secure Soapbox
Pingback: 5 Questions to Actually Ask A 3rd Party Red Team