The Cybersecurity and Infrastructure Security Agency (CISA) on May 22 issued anadvisorythat Commvault has been monitoring cyber threat activity that was targeting applications hosted in its Microsoft Azure cloud environment.CISA said it believes the threat activity may be part of a larger campaign targeting various software-as-a-service (SaaS) companies’ cloud apps with default configurations and elevated permissions that lead to attackers stealing secrets.The federal cybersecurity agency advised teams to monitorMicrosoft Entraaudit logs for unauthorized modifications or additions of credentials to service principals initiated by Commvault backup apps.CISAalso said teams should handle deviations from regular login schedules as suspicious.Nic Adams, co-founder and CEO at 0rcus, said CISA’s recent alert confirms what black hats have known for several years: SaaS platforms are the achilles’ heel of enterprise risk.“The industry’s obsession with endpoint agents and EDR leaves entire SaaS ecosystems wide open: misconfigurations, overprivileged service principals, and leaky API integrations are free money for adversaries,” said Adams. “Additionally, vendors are running on trust-based authentication models and default configs disintegrate under targeted pressure. SaaS breaches are systemic and invisible until an external agency blows the whistle.”James Maude, Field CTO at Beyond Trust, added that this news from CISA highlights the risks involved in allowing third parties privileged access into a company’s environment: their breach becomes your breach. Maude said while many organizations have robust controls for issuing and managing the access of human accounts used by contractors and third-parties, the story is often very different when it comes to non-human identities and secrets that enable machine to machine interactions.“By their very nature these non-human identities often need to be privileged to access large amounts of data to back it up, perform analysis and enable business processes,” said Maude. “This makes them highly-prized targets for attackers who know they are likely overprivileged and under monitored.”