In 2024, cyber threats concentrating on SaaS surged, with 7,000 password assaults blocked per second (simply in Entra ID)—a 75% enhance from final yr—and phishing makes an attempt up by 58%, inflicting $3.5 billion in losses (supply: Microsoft Digital Protection Report 2024). SaaS assaults are rising, with hackers typically evading detection by means of authentic utilization patterns. The cyber menace area noticed standout gamers, sudden underdogs, and relentless scorers leaving their mark on the SaaS security taking part in area.
As we enter 2025, security groups should prioritize SaaS security danger assessments to uncover vulnerabilities, undertake SSPM instruments for steady monitoring, and proactively defend their techniques.
Listed below are the Cyber Risk All-Stars to be careful for—the MVPs, rising stars, and grasp strategists who formed the sport.
1. ShinyHunters: The Most Invaluable Participant
- Playstyle: Precision Pictures (Cybercriminal Group)
- Greatest Wins: Snowflake, Ticketmaster and Authy
- Notable Drama: Exploited one misconfiguration to breach 165+ organizations.
ShinyHunters swept into 2024 with a relentless spree of SaaS breaches, exposing delicate knowledge throughout platforms like Authy and Ticketmaster. Their marketing campaign wasn’t about exploiting a vendor vulnerability—however capitalizing on one misconfiguration neglected by Snowflake prospects. Consequently, ShinyHunters might infiltrate, exfiltrate, and blackmail these snowflake customers with out implementing MFA and correctly securing their SaaS environments.
🏀 Behind the Play: ShinyHunters operated like all-stars of the darkish net, effortlessly benefiting from SaaS misconfigurations. Their stolen knowledge dumps weren’t quiet affairs—they have been daring theatrical releases that includes bidding wars and unique leaks. The Snowflake breach alone triggered widespread panic as credentials snowballed into widespread vulnerabilities throughout essential techniques.
💡SaaS Safety Classes: The Snowflake marketing campaign uncovered essential client-side security oversights, not vendor failures. Organizations did not implement MFA, rotate credentials commonly, and implement permit lists, leaving techniques susceptible to unauthorized entry.
2. ALPHV (BlackCat): The Grasp of Deception
- Playstyle: Strategic Maneuvering (Ransomware-as-a-Service, RaaS)
- Greatest Wins: Change Healthcare, Prudential (Healthcare & Finance)
- Notable Drama: The $22M exit rip-off scandal with RansomHub.
ALPHV, aka BlackCat, performed one of many yr’s boldest strikes in 2024. After extorting $22 million from Change Healthcare by means of compromised credentials, the group, in a really ballsy transfer, faked an FBI takedown on their leak web site to mislead each authorities and associates. However the true drama started when RansomHub, an affiliate, publicly accused ALPHV of taking the ransom and leaving them empty-handed, even sharing a Bitcoin transaction as proof. Even with the betrayal, the affiliate printed the stolen knowledge, leaving Change Healthcare with the ransom paid and the info misplaced.
🏀 Behind the Play: The fallout between ALPHV and RansomHub performed out like a cybercrime cleaning soap opera, with conflicting tales and heated accusations throughout darkish net boards. Regardless of the chaos, ALPHV’s assaults on Prudential and others solidified their popularity as one of many yr’s most formidable ransomware gamers.
💡SaaS Safety Classes: For prevention, observe credential leaks with darknet monitoring and implement Single Signal-On (SSO) to streamline authentication and cut back credential dangers. For detection and response, observe authentication actions, detect compromised credentials early, and apply account suspension insurance policies to stop brute-force assaults.
3. RansomHub: Rookie of the 12 months
- Playstyle: Opportunistic Offense (Ransomware-as-a-Service, RaaS)
- Greatest Win: Frontier Communications (Telecom & Infrastructure)
- Notable Drama: Caught within the fallout of ALPHV’s $22M rip-off.
RansomHub rose from the ashes of Knight Ransomware in early 2024 as probably the most lively ransomware actors. Identified for his or her opportunistic ways, they made headlines with their affiliation with ALPHV (BlackCat). Their function within the Change Healthcare breach impacted over 100 million U.S. residents, highlighting their means to use SaaS vulnerabilities, together with misconfigurations, weak authentication, and third-party integrations, maximizing their attain and affect.
🏀 Behind the Play: After being benched by ALPHV and dropping their minimize of the $22 million ransom from the Change Healthcare breach, RansomHub nonetheless held onto the stolen knowledge—a strong play that stored them within the sport. Regardless of the betrayal, this rookie menace actor hit the court docket with renewed willpower, scoring high-profile breaches all year long, together with Frontier Communications. They’re adamant about staying within the ransomware league, even after a tough first season.
💡SaaS Safety Classes: Keep alert of phishing makes an attempt that exploit stolen private data to create extra convincing assaults. Implement identification menace detection instruments to watch for indicators of account takeovers and anomalies in consumer actions, enabling well timed identification and response to potential breaches.
4. LockBit: Clutch Participant of the 12 months
- Playstyle: Relentless Offense (Ransomware-as-a-Service, RaaS)
- Greatest Wins: Provide chain impact from Evolve Financial institution & Belief (Fintech)
- Notable Drama: FBI’s Operation Cronos did not shut them down solely.
LockBit dominates the ransomware court docket, relentlessly scoring breach after breach regardless of the continuing efforts by the FBI and NCA to dismantle their infrastructure, type of like Steph Curry–constantly performing nicely when there’s lots on the road. Excessive-profile performs towards Fintech firms, corresponding to Evolve Financial institution & Belief, with the availability chain effecting extra firms corresponding to Affirm and Smart, solidified LockBit’s standing as probably the most constant offensive participant within the SaaS assault league.
🏀 Behind the Play: Though Operation ‘Cronos’ disrupted their servers and seized essential infrastructure, the group bounced again with resolve, taunting authorities on their leak web site with daring claims like, “You’ll be able to’t cease me.” In December 2024, we noticed updates on an earlier arrest of an alleged LockBit developer— highlighting the continuing nature of Operation ‘Cronos’, signaling that this international sting is way from over.
💡SaaS Safety Classes: Prioritize third-party vendor danger assessments and preserve visibility into SaaS app connectivity to detect exploitation pathways early. Use exercise monitoring instruments with menace detection, UEBA (Person and Entity Conduct Analytics), and anomaly detection to identify suspicious habits in actual time.
5. Midnight Blizzard (APT29): The Silent Operator
- Playstyle: Defensive Infiltration (Superior Persistent Risk, APT)
- Greatest Win: TeamViewer (Distant Entry Software)
- Notable Drama: A breach as a gateway for silent espionage.
In terms of state-sponsored espionage, Midnight Blizzard—aka APT29—performs like Kawhi Leonard operating a flawless defensive play, quietly intercepting knowledge and making strategic strikes with out drawing consideration. This group, backed by Russian state sources, makes a speciality of hacking essential techniques, with TeamViewer standing out in 2024. This group is not flashy—they do not drop ransom notes or brag in darkish net boards. As a substitute, they quietly exfiltrate delicate knowledge, leaving digital footprints so faint they’re practically not possible to hint. Not like ransomware teams, state-sponsored actors like Midnight Blizzard deal with cyber espionage, working discreetly to assemble intelligence with out triggering any alarms.
🏀 Behind the Play: Midnight Blizzard would not play for fast wins—they infiltrate, wait, and watch. Utilizing state-level ways, they continue to be hidden inside networks for months, if not years, extracting priceless intelligence with out elevating any alarms. Whereas the corporate finally contained the TeamViewer breach, the goal’s nature reveals Midnight Blizzard’s intent—specializing in high-value organizations with intensive utilization, aiming to use these footholds as launchpads for broader assaults on downstream targets.
💡SaaS Safety Classes: Keep vigilant for breaches in essential SaaS functions, typically focused by nation-state actors. Carry out common configuration audits to scale back dangers and guarantee safe entry controls corresponding to multi-factor authentication (MFA). Proactive auditing helps decrease breach affect and limits exploitation pathways.
The Sixth Man: The One to Watch and the Benched Expertise
- Hellcat (The Ones to Watch): A ransomware group that burst onto the scene in late 2024, scoring a confirmed hit on Schneider Electrical. Their speedy emergence and preliminary success sign potential for a extra aggressive playbook in 2025.
- Scattered Spider (Benched Expertise): As soon as a serious participant in cybercrime, this hybrid social engineering group now sits on the bench following arrests and authorized crackdowns. Whereas their exercise slowed, specialists warning it is too early to depend them out.
Each teams are value maintaining a tally of—one for its momentum, the opposite for its popularity and potential comeback story.
🔑 Key Takeaways for 2025:
- Misconfigurations Stay a Prime Goal: Risk actors proceed to use neglected SaaS misconfigurations, getting access to essential techniques and delicate knowledge. Common audits, enforced MFA, and credential rotation are important defenses.
- Identification Infrastructure Underneath Attack: Attackers leverage stolen credentials, API manipulations, and stealthy exfiltration to bypass defenses. Monitoring for leaked credentials, having robust MFA enforcement, anomaly detection, and identification monitoring are essential to stopping breaches.
- Shadow IT and Provide Chain as Entry Factors: Unauthorized SaaS functions and app-to-app integrations create hidden vulnerabilities. Steady monitoring, proactive oversight, and automatic remediation are important for decreasing danger publicity.
The muse of a multi-layer SaaS security answer begins with automated steady danger assessments and the combination of ongoing monitoring instruments into your security administration.
This is not their final dance. Safety groups should keep knowledgeable, vigilant, and kit up for one more yr of defending towards the world’s most prolific menace actors.
Do not watch for the following breach.
Get your SaaS Safety Threat Evaluation at this time.
