In 2024, cyber threats focused on SaaS surged, with 7,000 password assaults blocked in keeping with 2d (simply in Entra ID)—a 75% build up from final 12 months—and phishing makes an attempt up by way of 58%, inflicting $3.5 billion in losses (supply: Microsoft Virtual Protection Record 2024). SaaS assaults are expanding, with hackers ceaselessly evading detection thru authentic utilization patterns. The cyber risk enviornment noticed standout avid gamers, sudden underdogs, and incessant scorers leaving their mark at the SaaS safety taking part in box.
As we input 2025, safety groups will have to prioritize SaaS safety chance tests to discover vulnerabilities, undertake SSPM equipment for steady tracking, and proactively shield their techniques.
Listed here are the Cyber Risk All-Stars to be careful for—the MVPs, emerging stars, and grasp strategists who formed the sport.
1. ShinyHunters: The Maximum Precious Participant
- Playstyle: Precision Photographs (Cybercriminal Group)
- Largest Wins: Snowflake, Ticketmaster and Authy
- Notable Drama: Exploited one misconfiguration to breach 165+ organizations.
ShinyHunters swept into 2024 with a continuing spree of SaaS breaches, exposing delicate knowledge throughout platforms like Authy and Ticketmaster. Their marketing campaign wasn’t about exploiting a supplier vulnerability—however capitalizing on one misconfiguration overpassed by way of Snowflake consumers. Consequently, ShinyHunters may just infiltrate, exfiltrate, and blackmail those snowflake customers with out implementing MFA and correctly securing their SaaS environments.
🏀 At the back of the Play: ShinyHunters operated like all-stars of the darkish internet, easily making the most of SaaS misconfigurations. Their stolen knowledge dumps were not quiet affairs—they had been bold theatrical releases that includes bidding wars and unique leaks. The Snowflake breach by myself prompted standard panic as credentials snowballed into standard vulnerabilities throughout crucial techniques.
💡SaaS Safety Courses: The Snowflake marketing campaign uncovered crucial client-side safety oversights, no longer supplier disasters. Organizations did not implement MFA, rotate credentials often, and put in force permit lists, leaving techniques liable to unauthorized get admission to.
2. ALPHV (BlackCat): The Grasp of Deception
- Playstyle: Strategic Maneuvering (Ransomware-as-a-Provider, RaaS)
- Largest Wins: Trade Healthcare, Prudential (Healthcare & Finance)
- Notable Drama: The $22M go out rip-off scandal with RansomHub.
ALPHV, aka BlackCat, performed one of the crucial 12 months’s boldest strikes in 2024. After extorting $22 million from Trade Healthcare thru compromised credentials, the crowd, in an overly ballsy transfer, faked an FBI takedown on their leak website online to deceive each government and associates. However the actual drama started when RansomHub, an associate, publicly accused ALPHV of taking the ransom and leaving them empty-handed, even sharing a Bitcoin transaction as evidence. Even with the betrayal, the associate revealed the stolen knowledge, leaving Trade Healthcare with the ransom paid and the information misplaced.
🏀 At the back of the Play: The fallout between ALPHV and RansomHub performed out like a cybercrime cleaning soap opera, with conflicting tales and heated accusations throughout darkish internet boards. In spite of the chaos, ALPHV’s assaults on Prudential and others solidified their recognition as one of the crucial 12 months’s maximum ambitious ransomware avid gamers.
💡SaaS Safety Courses: For prevention, monitor credential leaks with darknet tracking and implement Unmarried Signal-On (SSO) to streamline authentication and cut back credential dangers. For detection and reaction, observe authentication actions, locate compromised credentials early, and practice account suspension insurance policies to forestall brute-force assaults.
3. RansomHub: Rookie of the 12 months
- Playstyle: Opportunistic Offense (Ransomware-as-a-Provider, RaaS)
- Largest Win: Frontier Communications (Telecom & Infrastructure)
- Notable Drama: Stuck within the fallout of ALPHV’s $22M rip-off.
RansomHub rose from the ashes of Knight Ransomware in early 2024 as some of the lively ransomware actors. Recognized for his or her opportunistic techniques, they made headlines with their association with ALPHV (BlackCat). Their function within the Trade Healthcare breach impacted over 100 million U.S. electorate, highlighting their skill to take advantage of SaaS vulnerabilities, together with misconfigurations, vulnerable authentication, and third-party integrations, maximizing their succeed in and affect.
🏀 At the back of the Play: After being benched by way of ALPHV and shedding their minimize of the $22 million ransom from the Trade Healthcare breach, RansomHub nonetheless held onto the stolen knowledge—a formidable play that stored them within the sport. In spite of the betrayal, this rookie risk actor hit the courtroom with renewed choice, scoring high-profile breaches all through the 12 months, together with Frontier Communications. They’re adamant about staying within the ransomware league, even after a coarse first season.
💡SaaS Safety Courses: Keep alert of phishing makes an attempt that exploit stolen non-public data to create extra convincing assaults. Put in force identification risk detection equipment to watch for indicators of account takeovers and anomalies in consumer actions, enabling well timed id and reaction to doable breaches.
4. LockBit: Grab Participant of the 12 months
- Playstyle: Relentless Offense (Ransomware-as-a-Provider, RaaS)
- Largest Wins: Provide chain impact from Evolve Financial institution & Believe (Fintech)
- Notable Drama: FBI’s Operation Cronos failed to close them down completely.
LockBit dominates the ransomware courtroom, relentlessly scoring breach after breach in spite of the continuing efforts by way of the FBI and NCA to dismantle their infrastructure, more or less like Steph Curry–persistently acting smartly when there is a lot at the line. Prime-profile performs in opposition to Fintech corporations, reminiscent of Evolve Financial institution & Believe, with the availability chain effecting extra corporations reminiscent of Verify and Smart, solidified LockBit’s standing as essentially the most constant offensive participant within the SaaS assault league.
🏀 At the back of the Play: Despite the fact that Operation ‘Cronos’ disrupted their servers and seized crucial infrastructure, the crowd bounced again with unravel, taunting government on their leak website online with daring claims like, “You’ll be able to’t prevent me.” In December 2024, we noticed updates on an previous arrest of an alleged LockBit developer— highlighting the continuing nature of Operation ‘Cronos’, signaling that this world sting is a long way from over.
💡SaaS Safety Courses: Prioritize third-party supplier chance tests and deal with visibility into SaaS app connectivity to locate exploitation pathways early. Use job tracking equipment with risk detection, UEBA (Consumer and Entity Conduct Analytics), and anomaly detection to identify suspicious habits in actual time.
5. Nighttime Snow fall (APT29): The Silent Operator
- Playstyle: Defensive Infiltration (Complex Continual Risk, APT)
- Largest Win: TeamViewer (Far flung Get entry to Instrument)
- Notable Drama: A breach as a gateway for silent espionage.
Relating to state-sponsored espionage, Nighttime Snow fall—aka APT29—performs like Kawhi Leonard operating a flawless defensive play, quietly intercepting knowledge and making strategic strikes with out drawing consideration. This workforce, sponsored by way of Russian state sources, makes a speciality of hacking crucial techniques, with TeamViewer status out in 2024. This workforce is not flashy—they do not drop ransom notes or brag in darkish internet boards. As a substitute, they quietly exfiltrate delicate knowledge, leaving virtual footprints so faint they are just about unattainable to track. Not like ransomware teams, state-sponsored actors like Nighttime Snow fall focal point on cyber espionage, running discreetly to collect intelligence with out triggering any alarms.
🏀 At the back of the Play: Nighttime Snow fall does not play for fast wins—they infiltrate, wait, and watch. The use of state-level techniques, they continue to be hidden inside of networks for months, if no longer years, extracting treasured intelligence with out elevating any alarms. Whilst the corporate in the end contained the TeamViewer breach, the objective’s nature finds Nighttime Snow fall’s intent—that specialize in high-value organizations with intensive utilization, aiming to take advantage of those footholds as launchpads for broader assaults on downstream objectives.
💡SaaS Safety Courses: Keep vigilant for breaches in crucial SaaS packages, ceaselessly centered by way of countryside actors. Carry out common configuration audits to scale back dangers and make sure safe get admission to controls reminiscent of multi-factor authentication (MFA). Proactive auditing is helping decrease breach affect and bounds exploitation pathways.
The 6th Guy: The One to Watch and the Benched Skill
- Hellcat (The Ones to Watch): A ransomware workforce that burst onto the scene in past due 2024, scoring a showed hit on Schneider Electrical. Their speedy emergence and preliminary good fortune sign doable for a extra competitive playbook in 2025.
- Scattered Spider (Benched Skill): As soon as a significant participant in cybercrime, this hybrid social engineering workforce now sits at the bench following arrests and prison crackdowns. Whilst their job slowed, mavens warning it is too early to depend them out.
Each teams are price keeping track of—one for its momentum, the opposite for its recognition and doable comeback tale.
🔑 Key Takeaways for 2025:
- Misconfigurations Stay a High Goal: Risk actors proceed to take advantage of overpassed SaaS misconfigurations, getting access to crucial techniques and delicate knowledge. Common audits, enforced MFA, and credential rotation are crucial defenses.
- Identification Infrastructure Underneath Assault: Attackers leverage stolen credentials, API manipulations, and stealthy exfiltration to circumvent defenses. Tracking for leaked credentials, having sturdy MFA enforcement, anomaly detection, and identification tracking are crucial to fighting breaches.
- Shadow IT and Provide Chain as Access Issues: Unauthorized SaaS packages and app-to-app integrations create hidden vulnerabilities. Steady tracking, proactive oversight, and automatic remediation are crucial for lowering chance publicity.
The root of a multi-layer SaaS safety answer starts with automatic steady chance tests and the mixing of ongoing tracking equipment into your safety control.
This is not their final dance. Safety groups will have to keep knowledgeable, vigilant, and power up for every other 12 months of shielding in opposition to the arena’s maximum prolific risk actors.
Do not watch for the following breach.
Get your SaaS Safety Possibility Overview lately.