In 2024, cyber threats focusing on SaaS surged, with 7,000 password assaults blocked per second (simply in Entra ID)—a 75% improve from final 12 months—and phishing makes an attempt up by 58%, inflicting $3.5 billion in losses (supply: Microsoft Digital Protection Report 2024). SaaS assaults are rising, with hackers usually evading detection by way of reputable utilization patterns. The cyber menace area noticed standout gamers, surprising underdogs, and relentless scorers leaving their mark on the SaaS safety enjoying area.
As we enter 2025, safety groups should prioritize SaaS safety danger assessments to uncover vulnerabilities, undertake SSPM instruments for steady monitoring, and proactively defend their methods.
Listed below are the Cyber Menace All-Stars to be careful for—the MVPs, rising stars, and grasp strategists who formed the sport.
1. ShinyHunters: The Most Worthwhile Participant
- Playstyle: Precision Pictures (Cybercriminal Group)
- Greatest Wins: Snowflake, Ticketmaster and Authy
- Notable Drama: Exploited one misconfiguration to breach 165+ organizations.
ShinyHunters swept into 2024 with a relentless spree of SaaS breaches, exposing delicate information throughout platforms like Authy and Ticketmaster. Their marketing campaign wasn’t about exploiting a vendor vulnerability—however capitalizing on one misconfiguration ignored by Snowflake prospects. In consequence, ShinyHunters may infiltrate, exfiltrate, and blackmail these snowflake customers with out imposing MFA and correctly securing their SaaS environments.
🏀 Behind the Play: ShinyHunters operated like all-stars of the darkish internet, effortlessly making the most of SaaS misconfigurations. Their stolen information dumps weren’t quiet affairs—they have been daring theatrical releases that includes bidding wars and unique leaks. The Snowflake breach alone triggered widespread panic as credentials snowballed into widespread vulnerabilities throughout vital methods.
💡SaaS Safety Classes: The Snowflake marketing campaign uncovered vital client-side safety oversights, not vendor failures. Organizations didn’t implement MFA, rotate credentials commonly, and implement permit lists, leaving methods susceptible to unauthorized entry.
2. ALPHV (BlackCat): The Grasp of Deception
- Playstyle: Strategic Maneuvering (Ransomware-as-a-Service, RaaS)
- Greatest Wins: Change Healthcare, Prudential (Healthcare & Finance)
- Notable Drama: The $22M exit rip-off scandal with RansomHub.
ALPHV, aka BlackCat, performed one of many 12 months’s boldest strikes in 2024. After extorting $22 million from Change Healthcare by way of compromised credentials, the group, in a really ballsy transfer, faked an FBI takedown on their leak web site to mislead each authorities and associates. However the true drama started when RansomHub, an affiliate, publicly accused ALPHV of taking the ransom and leaving them empty-handed, even sharing a Bitcoin transaction as proof. Even with the betrayal, the affiliate printed the stolen information, leaving Change Healthcare with the ransom paid and the information misplaced.
🏀 Behind the Play: The fallout between ALPHV and RansomHub performed out like a cybercrime cleaning soap opera, with conflicting tales and heated accusations throughout darkish internet boards. Regardless of the chaos, ALPHV’s assaults on Prudential and others solidified their repute as one of many 12 months’s most formidable ransomware gamers.
💡SaaS Safety Classes: For prevention, monitor credential leaks with darknet monitoring and implement Single Signal-On (SSO) to streamline authentication and cut back credential dangers. For detection and response, comply with authentication actions, detect compromised credentials early, and apply account suspension insurance policies to forestall brute-force assaults.
3. RansomHub: Rookie of the Yr
- Playstyle: Opportunistic Offense (Ransomware-as-a-Service, RaaS)
- Greatest Win: Frontier Communications (Telecom & Infrastructure)
- Notable Drama: Caught within the fallout of ALPHV’s $22M rip-off.
RansomHub rose from the ashes of Knight Ransomware in early 2024 as probably the most energetic ransomware actors. Recognized for his or her opportunistic techniques, they made headlines with their affiliation with ALPHV (BlackCat). Their function within the Change Healthcare breach impacted over 100 million U.S. residents, highlighting their potential to take advantage of SaaS vulnerabilities, together with misconfigurations, weak authentication, and third-party integrations, maximizing their attain and influence.
🏀 Behind the Play: After being benched by ALPHV and shedding their lower of the $22 million ransom from the Change Healthcare breach, RansomHub nonetheless held onto the stolen information—a strong play that stored them within the sport. Regardless of the betrayal, this rookie menace actor hit the court docket with renewed willpower, scoring high-profile breaches all year long, together with Frontier Communications. They’re adamant about staying within the ransomware league, even after a tough first season.
💡SaaS Safety Classes: Keep alert of phishing makes an attempt that exploit stolen private data to create extra convincing assaults. Implement id menace detection instruments to observe for indicators of account takeovers and anomalies in person actions, enabling well timed identification and response to potential breaches.
4. LockBit: Clutch Participant of the Yr
- Playstyle: Relentless Offense (Ransomware-as-a-Service, RaaS)
- Greatest Wins: Provide chain impact from Evolve Financial institution & Belief (Fintech)
- Notable Drama: FBI’s Operation Cronos didn’t shut them down totally.
LockBit dominates the ransomware court docket, relentlessly scoring breach after breach regardless of the continued efforts by the FBI and NCA to dismantle their infrastructure, form of like Steph Curry–constantly performing properly when there’s quite a bit on the road. Excessive-profile performs towards Fintech firms, similar to Evolve Financial institution & Belief, with the availability chain effecting extra firms similar to Affirm and Smart, solidified LockBit’s standing as essentially the most constant offensive participant within the SaaS assault league.
🏀 Behind the Play: Though Operation ‘Cronos’ disrupted their servers and seized vital infrastructure, the group bounced again with resolve, taunting authorities on their leak web site with daring claims like, “You may’t cease me.” In December 2024, we noticed updates on an earlier arrest of an alleged LockBit developer— highlighting the continued nature of Operation ‘Cronos’, signaling that this world sting is way from over.
💡SaaS Safety Classes: Prioritize third-party vendor danger assessments and preserve visibility into SaaS app connectivity to detect exploitation pathways early. Use exercise monitoring instruments with menace detection, UEBA (Person and Entity Habits Analytics), and anomaly detection to identify suspicious habits in actual time.
5. Midnight Blizzard (APT29): The Silent Operator
- Playstyle: Defensive Infiltration (Superior Persistent Menace, APT)
- Greatest Win: TeamViewer (Distant Entry Instrument)
- Notable Drama: A breach as a gateway for silent espionage.
In relation to state-sponsored espionage, Midnight Blizzard—aka APT29—performs like Kawhi Leonard operating a flawless defensive play, quietly intercepting information and making strategic strikes with out drawing consideration. This group, backed by Russian state assets, focuses on hacking vital methods, with TeamViewer standing out in 2024. This group is not flashy—they do not drop ransom notes or brag in darkish internet boards. As a substitute, they quietly exfiltrate delicate information, leaving digital footprints so faint they’re almost inconceivable to hint. In contrast to ransomware teams, state-sponsored actors like Midnight Blizzard deal with cyber espionage, working discreetly to collect intelligence with out triggering any alarms.
🏀 Behind the Play: Midnight Blizzard does not play for fast wins—they infiltrate, wait, and watch. Utilizing state-level techniques, they continue to be hidden inside networks for months, if not years, extracting priceless intelligence with out elevating any alarms. Whereas the corporate in the end contained the TeamViewer breach, the goal’s nature reveals Midnight Blizzard’s intent—specializing in high-value organizations with intensive utilization, aiming to take advantage of these footholds as launchpads for broader assaults on downstream targets.
💡SaaS Safety Classes: Keep vigilant for breaches in vital SaaS functions, usually focused by nation-state actors. Carry out common configuration audits to scale back dangers and guarantee safe entry controls similar to multi-factor authentication (MFA). Proactive auditing helps reduce breach influence and limits exploitation pathways.
The Sixth Man: The One to Watch and the Benched Expertise
- Hellcat (The Ones to Watch): A ransomware group that burst onto the scene in late 2024, scoring a confirmed hit on Schneider Electrical. Their fast emergence and preliminary success sign potential for a extra aggressive playbook in 2025.
- Scattered Spider (Benched Expertise): As soon as a serious participant in cybercrime, this hybrid social engineering group now sits on the bench following arrests and authorized crackdowns. Whereas their exercise slowed, specialists warning it is too early to depend them out.
Each teams are price maintaining a tally of—one for its momentum, the opposite for its repute and potential comeback story.
🔑 Key Takeaways for 2025:
- Misconfigurations Stay a Prime Goal: Menace actors proceed to take advantage of ignored SaaS misconfigurations, getting access to vital methods and delicate information. Common audits, enforced MFA, and credential rotation are important defenses.
- Id Infrastructure Underneath Assault: Attackers leverage stolen credentials, API manipulations, and stealthy exfiltration to bypass defenses. Monitoring for leaked credentials, having robust MFA enforcement, anomaly detection, and id monitoring are vital to stopping breaches.
- Shadow IT and Provide Chain as Entry Factors: Unauthorized SaaS functions and app-to-app integrations create hidden vulnerabilities. Steady monitoring, proactive oversight, and automatic remediation are important for lowering danger publicity.
The inspiration of a multi-layer SaaS safety answer begins with automated steady danger assessments and the combination of ongoing monitoring instruments into your safety administration.
This is not their final dance. Safety groups should keep knowledgeable, vigilant, and kit up for an additional 12 months of defending towards the world’s most prolific menace actors.
Do not look ahead to the subsequent breach.
Get your SaaS Safety Threat Evaluation immediately.
