In 2024, cyber threats focusing on SaaS surged, with 7,000 password assaults blocked per second (simply in Entra ID)—a 75% enhance from final yr—and phishing makes an attempt up by 58%, inflicting $3.5 billion in losses (supply: Microsoft Digital Protection Report 2024). SaaS assaults are growing, with hackers typically evading detection by way of reputable utilization patterns. The cyber risk area noticed standout gamers, sudden underdogs, and relentless scorers leaving their mark on the SaaS safety enjoying area.
As we enter 2025, safety groups should prioritize SaaS safety threat assessments to uncover vulnerabilities, undertake SSPM instruments for steady monitoring, and proactively defend their programs.
Listed here are the Cyber Risk All-Stars to be careful for—the MVPs, rising stars, and grasp strategists who formed the sport.
1. ShinyHunters: The Most Priceless Participant
- Playstyle: Precision Photographs (Cybercriminal Group)
- Greatest Wins: Snowflake, Ticketmaster and Authy
- Notable Drama: Exploited one misconfiguration to breach 165+ organizations.
ShinyHunters swept into 2024 with a relentless spree of SaaS breaches, exposing delicate knowledge throughout platforms like Authy and Ticketmaster. Their marketing campaign wasn’t about exploiting a vendor vulnerability—however capitalizing on one misconfiguration neglected by Snowflake prospects. In consequence, ShinyHunters might infiltrate, exfiltrate, and blackmail these snowflake customers with out implementing MFA and correctly securing their SaaS environments.
🏀 Behind the Play: ShinyHunters operated like all-stars of the darkish net, effortlessly benefiting from SaaS misconfigurations. Their stolen knowledge dumps weren’t quiet affairs—they had been daring theatrical releases that includes bidding wars and unique leaks. The Snowflake breach alone triggered widespread panic as credentials snowballed into widespread vulnerabilities throughout vital programs.
💡SaaS Safety Classes: The Snowflake marketing campaign uncovered vital client-side safety oversights, not vendor failures. Organizations did not implement MFA, rotate credentials usually, and implement enable lists, leaving programs weak to unauthorized entry.
2. ALPHV (BlackCat): The Grasp of Deception
- Playstyle: Strategic Maneuvering (Ransomware-as-a-Service, RaaS)
- Greatest Wins: Change Healthcare, Prudential (Healthcare & Finance)
- Notable Drama: The $22M exit rip-off scandal with RansomHub.
ALPHV, aka BlackCat, performed one of many yr’s boldest strikes in 2024. After extorting $22 million from Change Healthcare by way of compromised credentials, the group, in a really ballsy transfer, faked an FBI takedown on their leak website to mislead each authorities and associates. However the true drama started when RansomHub, an affiliate, publicly accused ALPHV of taking the ransom and leaving them empty-handed, even sharing a Bitcoin transaction as proof. Even with the betrayal, the affiliate printed the stolen knowledge, leaving Change Healthcare with the ransom paid and the information misplaced.
🏀 Behind the Play: The fallout between ALPHV and RansomHub performed out like a cybercrime cleaning soap opera, with conflicting tales and heated accusations throughout darkish net boards. Regardless of the chaos, ALPHV’s assaults on Prudential and others solidified their popularity as one of many yr’s most formidable ransomware gamers.
💡SaaS Safety Classes: For prevention, monitor credential leaks with darknet monitoring and implement Single Signal-On (SSO) to streamline authentication and cut back credential dangers. For detection and response, comply with authentication actions, detect compromised credentials early, and apply account suspension insurance policies to forestall brute-force assaults.
3. RansomHub: Rookie of the Yr
- Playstyle: Opportunistic Offense (Ransomware-as-a-Service, RaaS)
- Greatest Win: Frontier Communications (Telecom & Infrastructure)
- Notable Drama: Caught within the fallout of ALPHV’s $22M rip-off.
RansomHub rose from the ashes of Knight Ransomware in early 2024 as probably the most lively ransomware actors. Recognized for his or her opportunistic techniques, they made headlines with their affiliation with ALPHV (BlackCat). Their position within the Change Healthcare breach impacted over 100 million U.S. residents, highlighting their capability to take advantage of SaaS vulnerabilities, together with misconfigurations, weak authentication, and third-party integrations, maximizing their attain and impression.
🏀 Behind the Play: After being benched by ALPHV and dropping their minimize of the $22 million ransom from the Change Healthcare breach, RansomHub nonetheless held onto the stolen knowledge—a strong play that saved them within the recreation. Regardless of the betrayal, this rookie risk actor hit the court docket with renewed willpower, scoring high-profile breaches all year long, together with Frontier Communications. They’re adamant about staying within the ransomware league, even after a tough first season.
💡SaaS Safety Classes: Keep alert of phishing makes an attempt that exploit stolen private info to create extra convincing assaults. Implement identification risk detection instruments to watch for indicators of account takeovers and anomalies in person actions, enabling well timed identification and response to potential breaches.
4. LockBit: Clutch Participant of the Yr
- Playstyle: Relentless Offense (Ransomware-as-a-Service, RaaS)
- Greatest Wins: Provide chain impact from Evolve Financial institution & Belief (Fintech)
- Notable Drama: FBI’s Operation Cronos did not shut them down completely.
LockBit dominates the ransomware court docket, relentlessly scoring breach after breach regardless of the continued efforts by the FBI and NCA to dismantle their infrastructure, type of like Steph Curry–constantly performing effectively when there’s so much on the road. Excessive-profile performs in opposition to Fintech firms, akin to Evolve Financial institution & Belief, with the availability chain effecting extra firms akin to Affirm and Smart, solidified LockBit’s standing as essentially the most constant offensive participant within the SaaS assault league.
🏀 Behind the Play: Though Operation ‘Cronos’ disrupted their servers and seized vital infrastructure, the group bounced again with resolve, taunting authorities on their leak website with daring claims like, “You’ll be able to’t cease me.” In December 2024, we noticed updates on an earlier arrest of an alleged LockBit developer— highlighting the continued nature of Operation ‘Cronos’, signaling that this world sting is much from over.
💡SaaS Safety Classes: Prioritize third-party vendor threat assessments and keep visibility into SaaS app connectivity to detect exploitation pathways early. Use exercise monitoring instruments with risk detection, UEBA (Consumer and Entity Conduct Analytics), and anomaly detection to identify suspicious conduct in actual time.
5. Midnight Blizzard (APT29): The Silent Operator
- Playstyle: Defensive Infiltration (Superior Persistent Risk, APT)
- Greatest Win: TeamViewer (Distant Entry Device)
- Notable Drama: A breach as a gateway for silent espionage.
In the case of state-sponsored espionage, Midnight Blizzard—aka APT29—performs like Kawhi Leonard working a flawless defensive play, quietly intercepting knowledge and making strategic strikes with out drawing consideration. This group, backed by Russian state assets, focuses on hacking vital programs, with TeamViewer standing out in 2024. This group is not flashy—they do not drop ransom notes or brag in darkish net boards. As a substitute, they quietly exfiltrate delicate knowledge, leaving digital footprints so faint they’re practically not possible to hint. In contrast to ransomware teams, state-sponsored actors like Midnight Blizzard concentrate on cyber espionage, working discreetly to assemble intelligence with out triggering any alarms.
🏀 Behind the Play: Midnight Blizzard does not play for fast wins—they infiltrate, wait, and watch. Utilizing state-level techniques, they continue to be hidden inside networks for months, if not years, extracting invaluable intelligence with out elevating any alarms. Whereas the corporate in the end contained the TeamViewer breach, the goal’s nature reveals Midnight Blizzard’s intent—specializing in high-value organizations with in depth utilization, aiming to take advantage of these footholds as launchpads for broader assaults on downstream targets.
💡SaaS Safety Classes: Keep vigilant for breaches in vital SaaS purposes, typically focused by nation-state actors. Carry out common configuration audits to scale back dangers and guarantee safe entry controls akin to multi-factor authentication (MFA). Proactive auditing helps reduce breach impression and limits exploitation pathways.
The Sixth Man: The One to Watch and the Benched Expertise
- Hellcat (The Ones to Watch): A ransomware group that burst onto the scene in late 2024, scoring a confirmed hit on Schneider Electrical. Their speedy emergence and preliminary success sign potential for a extra aggressive playbook in 2025.
- Scattered Spider (Benched Expertise): As soon as a serious participant in cybercrime, this hybrid social engineering group now sits on the bench following arrests and authorized crackdowns. Whereas their exercise slowed, specialists warning it is too early to depend them out.
Each teams are value keeping track of—one for its momentum, the opposite for its popularity and potential comeback story.
🔑 Key Takeaways for 2025:
- Misconfigurations Stay a Prime Goal: Risk actors proceed to take advantage of neglected SaaS misconfigurations, having access to vital programs and delicate knowledge. Common audits, enforced MFA, and credential rotation are important defenses.
- Identification Infrastructure Below Assault: Attackers leverage stolen credentials, API manipulations, and stealthy exfiltration to bypass defenses. Monitoring for leaked credentials, having robust MFA enforcement, anomaly detection, and identification monitoring are vital to stopping breaches.
- Shadow IT and Provide Chain as Entry Factors: Unauthorized SaaS purposes and app-to-app integrations create hidden vulnerabilities. Steady monitoring, proactive oversight, and automatic remediation are important for lowering threat publicity.
The inspiration of a multi-layer SaaS safety resolution begins with automated steady threat assessments and the mixing of ongoing monitoring instruments into your safety administration.
This is not their final dance. Safety groups should keep knowledgeable, vigilant, and equipment up for an additional yr of defending in opposition to the world’s most prolific risk actors.
Do not await the following breach.
Get your SaaS Safety Threat Evaluation as we speak.