In 2024, SaaS-focused cyber threats surged dramatically. Entra ID blocked 7,000 password attacks every second, marking a 75% increase from 2023. Meanwhile, phishing attacks spiked by 58%, resulting in $3.5 billion in losses, according to the Microsoft Digital Defense Report 2024. Hackers have mastered blending into legitimate usage patterns, making detection more difficult. The SaaS security landscape in 2024 felt like a high-stakes game, filled with standout attackers and unexpected challenges.
As we approach 2025, SaaS security must be a top priority. Regular risk assessments, adopting SaaS Security Posture Management (SSPM) tools, and staying ahead of threats are crucial for protecting sensitive data.
Let’s look at the top players in the 2024 SaaS threat landscape—the MVPs, rising stars, and master strategists that reshaped cybersecurity.
1. ShinyHunters: The MVP of SaaS Cybercrime
Specialty: Precision Breaches
Biggest Hits: Snowflake, Ticketmaster, Authy
Key Drama: Exploited a single misconfiguration to breach over 165 organizations.
ShinyHunters dominated 2024 with high-profile SaaS breaches. Their focus wasn’t on vendor vulnerabilities but on exploiting misconfigurations. For instance, a misstep in Snowflake’s customer configurations allowed them to access, extract, and extort sensitive data across multiple platforms like Authy and Ticketmaster.
🏀 Game Highlights: These cybercriminals turned stolen data into high-stakes bidding wars on the dark web. Their Snowflake breach sent ripples across industries, exposing systemic security gaps.
💡 Takeaway: Regularly audit SaaS configurations. Enforce Multi-Factor Authentication (MFA), rotate credentials frequently, and implement allow lists to prevent unauthorized access.
2. ALPHV (BlackCat): The Master Strategist
Specialty: Ransomware-as-a-Service (RaaS)
Biggest Hits: Change Healthcare, Prudential
Key Drama: A $22M exit scam that sparked dark web drama.
ALPHV, or BlackCat, made headlines in 2024 with a bold ransomware campaign. They extorted $22 million from Change Healthcare and then staged a fake FBI takedown of their leak site to mislead law enforcement. The drama escalated when their affiliate, RansomHub, accused them of keeping the ransom payout.
🏀 Game Highlights: Despite internal fallout, ALPHV’s high-profile attacks cemented their dominance in the ransomware space.
💡 Takeaway: Strengthen credential security with Single Sign-On (SSO) and monitor the darknet for compromised accounts. Early detection can stop ransomware before it strikes.
3. RansomHub: Rising Star of 2024
Specialty: Opportunistic Ransomware
Biggest Hit: Frontier Communications
Key Drama: Fallout with ALPHV over the $22M Change Healthcare ransom.
RansomHub emerged as a formidable ransomware player in 2024. They targeted SaaS vulnerabilities, including weak authentication and misconfigurations. Despite losing out on the Change Healthcare ransom, they maintained relevance by holding onto stolen data and launching impactful attacks.
🏀 Game Highlights: Their breach of Frontier Communications demonstrated their ability to exploit SaaS weaknesses effectively.
💡 Takeaway: Implement identity detection tools to spot account takeovers early. Proactive monitoring of user behavior can prevent phishing and other attacks.
4. LockBit: The Clutch Performer
Specialty: Relentless RaaS Attacks
Biggest Hits: Evolve Bank & Trust
Key Drama: Survived Operation Cronos, an FBI sting.
LockBit continued its reign as a ransomware powerhouse in 2024. Even after the FBI’s Operation Cronos disrupted their infrastructure, they rebounded to deliver major blows against fintech companies like Evolve Bank & Trust. Their attacks had a cascading effect, impacting supply chains and businesses like Affirm and Wise.
🏀 Game Highlights: LockBit’s adaptability and resilience make them a constant threat in the ransomware ecosystem.
💡 Takeaway: Use User and Entity Behavior Analytics (UEBA) and real-time anomaly detection to monitor suspicious activities. Regular vendor risk assessments can also mitigate supply chain vulnerabilities.
5. Midnight Blizzard: The Silent Operator
Specialty: Advanced Persistent Threats (APTs)
Biggest Hit: TeamViewer
Key Drama: Focused on silent, long-term espionage.
Midnight Blizzard, a Russian state-sponsored group, specializes in quiet infiltration. In 2024, they breached TeamViewer to exfiltrate sensitive data over an extended period. Their focus isn’t financial—it’s intelligence gathering.
🏀 Game Highlights: Midnight Blizzard’s ability to stay hidden for months makes them one of the most dangerous players in the cyber threat landscape.
💡 Takeaway: Conduct regular configuration audits and enforce MFA to minimize risks. Proactive SaaS app monitoring can help detect unusual activities early.
Honorable Mentions: Rising Stars and Comebacks
Hellcat: A new ransomware group targeting Schneider Electric. Watch for their playbook in 2025.
Scattered Spider: Once a dominant social engineering group, they’re sidelined by arrests but could stage a comeback.
Key SaaS Security Tips for 2025
- Fix Misconfigurations: Regular audits and MFA enforcement can eliminate easy targets.
- Protect Credentials: Monitor for leaks, use SSO, and rotate passwords frequently.
- Manage Shadow IT: Keep an eye on unauthorized SaaS apps and app-to-app integrations.
The SaaS threat landscape is evolving rapidly, but with vigilance and proactive measures, you can stay ahead. Don’t wait for the next attack—strengthen your defenses today.
