Signaling the rise of SaaS supply chain attacks

Recent data breaches at Signal, Twilio, MailChimp, and others underscore the imperative of securing the SaaS supply chain.

The encrypted instant messaging service, Signal, stakes its reputation on being one of the world’s most highly secure communications applications. However, that reputation may now be at risk following a data breach disclosed this week affecting 1,900 Signal users. At the root of the breach is an increasingly popular attack vector – the SaaS supply chain.

In this case, one of Signal’s SaaS providers, Twilio, was the target of a successful SMS phishing attack disclosed last week that resulted in the exposure of Signal’s customer data, including phone numbers and SMS verification codes. This allowed malicious actors to re-register the stolen phone numbers of Signal users on different devices if the users had not enabled Signal’s registration locking mechanism.

This is just the latest in a series of SaaS supply chain attacks that have made headlines so far in 2022. Earlier this year, I wrote about how a similar social engineering attack on MailChimp employees led to stolen cryptocurrency wallets at Trezor. Okta and Microsoft were also targeted in the attack. Mailgun, SendGrid, Samsung, Nvidia - the list of companies suffering data breaches this year by way of supply chain attacks continues to grow. And, I’m pretty confident this won’t be the last time I write about SaaS supply chain risks. So—

We need to talk about securing the SaaS supply chain.

According to the 2022 Verizon Data Breach Investigations Report (DBIR), 62% of system intrusion incidents come through an organization’s partner. Just two years ago, supply chain security became a priority after the SolarWinds breach, but the resulting efforts focused almost solely on on-premises software. Yet, Solarwinds and similar on-premises software providers are relics of a past age. Today, much of the organization’s digital supply chain is scattered across a growing number of SaaS providers whose infrastructure, suppliers, and processes are beyond your span of visibility and control. In this environment, it’s never been more difficult for security leaders to secure the digital supply chain.

You can’t secure what you can’t see.

First and foremost, it’s a challenge to even get visibility of the SaaS supply chain. The most common approach is to review a SaaS provider’s SOC 2 report or software bill of materials (SBOM), which gives some insight into their SaaS supply chain.  Yet, all too often, this is only a snapshot evaluated during initial procurement and never revisited.  The reality is that the modern digital supply chain is not static; it changes at the speed of the SaaS providers involved-- which is to say, very fast. So, while some structured requirements for sharing SaaS supply chain information exists today, most security leaders still lack the means to monitor the SaaS supply chain on an ongoing basis and validate attestations in real time, especially when looking beyond their own SaaS providers’ supply chains to fourth- and fifth-party suppliers.

Aggravating this already-difficult situation is the rapid rate of bottom-up or employee-led SaaS adoption within organizations, which is now the rule, not the exception. Each new SaaS provider introduced into the organization is another location where company data is stored, where access and privileges are granted (and too often over-permissioned), and where business-critical processes are connected. This increases the demands on IT security governance to identify new SaaS usage, conduct vendor security assessments, and ensure that every account has properly configured security controls. Security teams struggle to keep up and, as result, blind spots remain. This is likely as true for you as it is for your SaaS providers, and their providers, and their providers.

We are in a perfect storm, and cybercriminals know it.

The modern SaaS supply chain is blurry at best. The sprawl of new SaaS applications introduced into organizations increases by the hour, and the complex mesh of dependencies and entitlements across our SaaS services, our corporate environments, and our sensitive resources is growing exponentially. Security and IT governance teams are outnumbered and outpaced. All of this has created perfect conditions for even the most novice of threat actors to exploit.

As we’ve seen in the recent barrage of relatively unsophisticated social engineering attacks attributed to LAPSUS$ group and initial access brokers like Exotic Lily, we are not contending with custom-developed malware, zero-day exploits, or global botnets firing persistent DDoS attacks. Rather, modern threat actors are taking advantage of the complexity of our SaaS supply chain and the vulnerabilities of human behavior to steal user credentials to gain access and move laterally across the SaaS supply chain. It remains that stolen or compromised user credentials are the top vector in today’s data breaches.

Our adversaries understand the SaaS supply chain and its vulnerabilities. It’s time for us to do so, as well.

As our reliance on SaaS services continues to grow, so does the entangled web of shared responsibility.  As recent SaaS supply chain attacks have shown, we can no longer assume that the bounds of our security teams’ responsibilities stop at the edge of our own environments. Every new SaaS application introduced in the organization brings along with it another complex set of attack vectors. Yet, many security leaders have not even begun to accommodate for the compromise of n-party providers in their threat models.

To Signal’s credit, the company had identified such threats and vulnerabilities and took action to develop product features like Signal PINs and registration lock mechanisms. (By the way, if you are a Signal user and haven’t yet taken advantage of these features, you should.)

As Signal noted:

"The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against. We strongly encourage users to enable registration lock. While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users."

For the rest of us, let this be a valuable lesson and an opportunity to ask ourselves, “What assumptions have we made about our own security posture that rely on us knowing all n-tier suppliers involved in our data processing?”  And, “What assumptions fall apart if one of those parties has been compromised?”  

Securing the SaaS supply chain is the core imperative of modern cybersecurity. If it’s not yet a top priority and a funded initiative for 2023, now is the time to reevaluate your risks, priorities, and budgets.

Related posts


Debunking the "stupid user" myth
in security

Exploring the influence of employees’ perception
and emotions on security behaviors