SaaS solution providers face cyberattacks

Contrary to expectations, the Olympics period was less eventful in terms of cyber incidents, but since then we’ve seen an upsurge in cyberattacks, particularly among hosts of SaaS solutions. These infrastructures, often complex and spread over several datacenters, have become prime targets for cybercriminals. And yet, business customers mistakenly believe that switching to SaaS automatically protects them from risk. This is not the case…

The specifics of attacks on SaaS providers

SaaS providers manage complex systems in which numerous companies share the same infrastructure. This mutualization increases the risks in the event of an attack: a single vulnerable access point can impact dozens, or even hundreds, of customer companies. The consequences are often catastrophic: loss of data, business paralysis, and a significant drop in sales.

One of the biggest challenges for hosting providers is the difficulty of responding to all affected customers at the same time. When the infrastructure hosting thousands of customers is compromised, the host is often overwhelmed by crisis management. Technical teams not only have to restore their own systems, but also respond to urgent customer requests. This can delay business recovery for some companies, compounding losses.

Cyber attacks on SaaS providers generally follow a precise pattern:

• Infiltration: The attacker takes advantage of a security hole or compromised user account.
• Privilege escalation: The intruder takes control of an account with more rights to access sensitive information.
• Lateralization: The attack spreads across the entire infrastructure, affecting end-customer data.
• Encryption and destruction: Production data is encrypted, and backups are destroyed, making restoration impossible without external intervention. This is when the attackers send their ransom demands.

Victim companies find themselves stranded, unable to recover their data or resume operations without specialist assistance.

Technical support and crisis management

In such situations, SaaS providers need to be well prepared. Unfortunately, some discover belatedly that their own infrastructure documents have been encrypted, making system restoration even more complex. They must then call on expert teams to safeguard the remaining data and organize a rapid response.

In addition, transparent crisis management is essential. It is important that hosts communicate effectively with their customers to keep them informed of the recovery steps underway. Companies specializing in crisis management can step in to support this communication and help coordinate efforts.

Databack’s response to cyber attacks on hosting providers

When Databack responds to an attack, we take a methodical approach to restoring systems as quickly as possible:

1. Data media collection : We start by identifying and recovering media containing critical data, whether production data or backups. This step is essential to ensure that all resources are available for rapid restoration.
2. Analysis and Proof of Concept (POC) : Once we have the media in our possession, we carry out a detailed analysis to determine whether restoration is possible. A Proof of Concept (POC) is performed to ensure that we can restore the data without loss.
3. Industrialization of the recovery process : Once the POC has been validated, we automate the large-scale recovery process. This enables us to quickly restore large volumes of data, minimizing downtime for end customers.
4. Restoring production environments: Production virtual machines are restored to customers in secure environments. We use “white zones” or sandboxes to verify that the restored data is sound and contains no traces of the attack.

This method ensures that corporate customers can get back to business without having to pay ransom.

Recommendations for corporate customers

Companies using SaaS solutions need to be vigilant, and not rely entirely on their provider for data security. They also have an important role to play in preventing risks and ensuring that they can recover their information in the event of an incident.

It’s essential to regularly check contracts with SaaS hosting providers, ensuring that they include solid guarantees regarding data backup and security. L’ANSSI recommends rigorously evaluating cloud offers before committing yourself. For sensitive systems, we recommend qualified solutions such as SecNumCloud, which guarantee higher levels of security. These offers should enable regular audits to be carried out, in particular to verify data storage locations and the types of protection applied.

What’s more, companies should always keep local backups of their most critical data. In the event of loss or attack on the SaaS infrastructure, these backups enable rapid, independent restoration, thus limiting business disruption. This precaution is all the more useful when the backups hosted by the service provider are also targeted by an attack.

It is also essential to carry out regular security audits to assess the hosting company’s practices and check that access systems, permissions and security policies are correctly applied and comply with current recommendations.

Finally, raising awareness and training internal teams in good IT security practices is an indispensable measure. This includes vigilance in the face of suspicious e-mails, the use of multi-factor authentication, and rigorous management of privileged access to avoid accidental data compromise.

Conclusion: Protect your data, even with SaaS

Although SaaS solutions offer many advantages, they do not offer total protection against cyber attacks. Companies need to be aware of the risks, and take the necessary steps to protect their data. Databack is there to support them in managing these crises, offering concrete solutions for recover data and enable companies to get back up and running quickly and peacefully.

24 October 2024