cybersecurity researchers have issued a warning about two cybercrime groups conducting rapid, high-impact attacks that operate almost entirely within the confines of software-as-a-service (SaaS) environments. These groups leave minimal traces of their actions, posing a significant threat to organizations relying on cloud-based platforms.

The two clusters, identified as Cordial Spider (also known as BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (also known as O-UNC-025 and UNC6661), have been linked to high-speed data theft and extortion campaigns. Their primary targets are business environments that heavily utilize SaaS applications, where they can exploit inherent trust relationships and authentication processes.

How the Attacks Work

The attack chain begins with a technique called vishing, a form of voice phishing. Attackers will call employees, often impersonating IT support staff or other trusted figures, to trick them into providing sensitive information or credentials. A common tactic involves convincing a user to reset their multi-factor authentication (MFA) method.

Once the attacker gains access to a user’s account, they do not stop with a single service. They exploit single sign-on (SSO) integrations, which are designed for convenience. By compromising one account that has SSO privileges, the attackers can move laterally across all connected applications without needing to crack new passwords.

This method allows the groups to bypass traditional security controls that focus on perimeter defenses. Since the actions appear to come from legitimate, authenticated user accounts, they are difficult to detect with standard monitoring tools. The attacks are also characterized by their speed; the entire chain from initial compromise to data exfiltration can occur in a matter of hours.

Targeting Core Business Data

The researchers noted that both Cordial Spider and Snarky Spider are specifically targeting business critical SaaS applications. These include major platforms for email, document storage, and customer relationship management (CRM). By stealing data from these sources, the attackers gain access to highly sensitive corporate information including financial records, intellectual property, and personal employee data.

Once data is exfiltrated, the groups issue extortion demands. The threat is not just the exposure of the stolen data, but also the risk of business disruption, as the attackers may have maintained persistent access to the compromised SaaS environment. This creates a dual pressure on victims: the threat of a data leak and the threat of further operational sabotage.

Implications for Business Security

The rise of these SaaS focused attack groups highlights a shift in cybercriminal strategy. Organizations can no longer focus security efforts solely on network perimeters or endpoint devices. The attack surface now includes the authentication processes and trust relationships that link all of a company’s cloud services.

Researchers emphasize that the minimal digital footprint left by these attacks makes post incident forensics extremely challenging. Standard security information and event management (SIEM) systems may not flag the activity because the logins appear normal and the data access mimics legitimate user behavior.

To defend against these threats, organizations must strengthen identity and access management (IAM) protocols. This includes implementing phishing resistant MFA methods, monitoring for unusual SSO behavior, and conducting regular reviews of account privileges. User education is also critical, as vishing relies on social engineering to bypass technical controls.

Forward Looking Guidance

Security experts expect the frequency of these rapid SaaS extortion attacks to increase as other cybercrime groups observe the success of Cordial Spider and Snarky Spider. The evolution of these techniques suggests that attackers are dedicating more resources to understanding the architecture of enterprise cloud environments.

Organizations are advised to adopt a zero trust security model, which assumes that no user or device is trusted by default, even if they are already inside the network. This approach requires continuous verification of every access request. The development of specialized detection tools for lateral movement within SaaS environments is also expected to become a priority for the cybersecurity industry in the coming months.

Source: Delimiter Online