In 2024, cyberthreats targeting SaaS grew, with 7,000 password attacks blocked per second (on Entra ID alone)—a 75% year-over-year increase—and phishing attempts up 58%, resulting in losses of 3 .5 billion dollars (source: Microsoft’s 2024 Digital Security Report). SaaS attacks are on the rise, and hackers often evade detection through legitimate usage patterns. The cyber threat arena has seen great players, unexpected underdogs and relentless scorers make their mark on the SaaS security playing field.
As we enter 2025, security services must prioritize SaaS Security Risk Assessment to identify vulnerabilities, adopt SSPM tools for continuous monitoring, and proactively protect your systems.
Here are the cyber threat stars to look out for—the MVPs, rising stars, and master strategists who shaped the game.
1. ShinyHunters: Most Valuable Player
- Play style: Accurate shots (cybercriminal organization)
- Biggest wins: Snowflake, Ticketmaster and Authy
- Famous drama: Used one misconfiguration to hack 165+ organizations.
ShinyHunters 2024 saw relentless SaaS hacks, exposing sensitive data on platforms like Authy and Ticketmaster. Their campaign was not about exploiting a vendor vulnerability, but about exploiting a single misconfiguration that went unnoticed by Snowflake customers. As a result, ShinyHunters can infiltrate, steal, and blackmail these snowflake users without performing MFA and properly protecting their SaaS environment.
🏀 Behind the game: ShinyHunters operated like all darknet stars, easily exploiting SaaS misconfigurations. Their stolen data dumps weren’t quiet affairs—they were bold theatrical releases that featured bidding wars and exclusive leaks. The Snowflake breach alone caused widespread panic as credentials turned into widespread vulnerabilities in mission-critical systems.
💡SaaS Security Lessons: Snowflake discovered critical security flaws on the client side, not vendor failures. Organizations failed to enforce MFA, regularly change credentials, and implement whitelists, leaving systems vulnerable to unauthorized access.
2. ALPHV (BlackCat): Master of Deception
- Play style: Strategic maneuvering (Ransomware as a Service, RaaS)
- Biggest Wins: Change Healthcare, Prudential (Healthcare and Finance)
- Famous drama: The $22 million RansomHub fraud scandal.
ALFV, aka Black Catmade one of the boldest moves of the year in 2024. After extorting $22 million from Changing health care through compromised credentials, the group, in a very brazen act, rigged Dismantling the FBI on its website leaks to mislead both authorities and affiliates. But the real drama started when RansomHub, an affiliate, publicly accused ALPHV of taking the ransom and leaving them empty-handed even after sharing Bitcoin transaction as evidence. Despite the betrayal, the branch released the stolen data, causing Change Healthcare to pay a ransom and lose the data.
🏀 Behind the game: The battle between ALPHV and RansomHub has played out like a cybercrime soap opera, with conflicting stories and heated accusations on dark web forums. Despite the chaos, ALPHV’s attacks on Prudential and others cemented their reputation as one of the most formidable ransomware players of the year.
💡SaaS Security Lessons: For prevention, track credential leaks with darknet monitoring and implement single sign-on (SSO) to streamline authentication and reduce credential risks. For detection and response, implement authentication actions, early detection of compromised credentials, and enforcement of account suspension policies to prevent brute force attacks.
3. RansomHub: Rookie of the Year
- Play style: Opportunistic crime (Ransomware as a Service, RaaS)
- Biggest win: Border communications (Telecommunications and infrastructure)
- Famous drama: Got caught in the $22 million ALPHV scam.
RansomHub rose from the ashes of Knight Ransomware in early 2024 as one of the most active ransomware players. Known for their opportunistic tactics, they made headlines with their affiliation with ALPHV (BlackCat). Their role in the Change Healthcare breach affected more than 100 million US citizens, highlighting their ability to exploit SaaS vulnerabilities, including misconfigurations, weak authentication and third-party integrations, to maximize their reach and impact.
🏀 Behind the performance: After ALPHV was sued and lost its share of the $22 million ransom from the Change Healthcare hack, RansomHub still kept the stolen data, a powerful play that kept them in the game. Despite the betrayal, this fledgling threat actor has taken to court with renewed determination, racking up high-profile breaches over the course of the year, including Frontier Communications. They are determined to stay in the ransomware league, even after a rough first season.
💡SaaS Security Lessons: Be wary of phishing attempts that use stolen personal information to create more convincing attacks. Implementation of identity threat detection tools to monitor for signs of account hijacking and anomalies in user activity, enabling timely identification and response to potential breaches.
4. LockBit: Clutch Player of the Year
- Play style: Relentless Grief (Ransomware as a Service, RaaS)
- Biggest Wins: The Supply Chain Effect by Evolve Bank & Trust (Fintech)
- Famous drama: The FBI’s Operation Kronos was unable to stop them completely.
LockBit dominates the ransomware court, racking up violation after violation despite the constant efforts of the FBI and NCOs to dismantle their infrastructure, the likes of Steph Curry consistently do well when the stakes are high. High-profile plays against fintech companies like Evolve Bank & Trust, with supply chain impacts to more companies like Affirm and Wise, cemented LockBit’s status as the most consistent offensive player in the SaaS attack league.
🏀 Behind the game: Despite Operation Cronos disrupting their servers and taking over critical infrastructure, the group fought back, taunting the authorities on their leak site with bold statements like, “You can’t stop me.” In December 2024, we saw updates on the earlier arrest of the alleged developer of LockBit – highlighting the ongoing nature of Operation Kronos, signaling that this global action is far from over.
💡SaaS Security Lessons: Prioritize third-party vendor risk assessments and maintain SaaS application connectivity visibility for early detection of exploits. Use activity monitoring tools with threat detection, UEBA (User and Subject Behavior Analytics), and anomaly detection to detect suspicious behavior in real-time.
5. Midnight Blizzard (APT29): Silent operator
- Play style: Defensive infiltration (Advanced Persistent Threat, APT)
- Biggest win: TeamViewer (Remote Access Tool)
- Famous drama: The breach as a gateway for silent espionage.
When it comes to state-sponsored espionage, A midnight blizzard—aka APT29—plays as Kawhi Leonard, playing flawless defense, calmly intercepting data and making strategic moves without drawing attention. This group, with the support of Russian state resources, specializes in hacking critical systems, with TeamViewer stood out in 2024. This group doesn’t stand out—they don’t drop ransom notes or brag on dark web forums. Instead, they stealthily delete sensitive data, leaving digital trails so faint they’re nearly impossible to trace. Unlike ransomware groups, state-sponsored entities like Midnight Blizzard focus on cyberespionage, discreetly gathering intelligence without setting off alarms.
🏀 Behind the game: Midnight Blizzard doesn’t play for quick wins – they penetrate, wait and watch. Using state-level tactics, they remain hidden in networks for months, if not years, extracting valuable information without causing any alarm. While the company ultimately contained the TeamViewer hack, the nature of the targeting shows Midnight Blizzard’s intent — focusing on high-value, high-use organizations with the goal of using those footholds as launching pads for broader attacks on downstream targets.
💡SaaS Security Lessons: Watch for breaches of mission-critical SaaS programs that are often targeted by nation-state actors. Perform regular configuration audits to reduce risk and ensure secure access controls such as multi-factor authentication (MFA). Active auditing helps minimize the consequences of violations and limits the paths of use.
The Sixth Man: Who to watch and on the talent bench
- Hellcat (The One to Watch): The ransomware group that burst onto the scene in the the end of 2024scoring a confirmed hit on Schneider Electric. Their rapid emergence and initial success signal the potential for more aggressive play in 2025.
- Scattered spider (bench talent): Once a major player in cybercrime, this hybrid a social engineering group now sits on the dock after arrests and judicial repression. Although their activity has slowed down, experts warn that it is too early to count them out.
Both groups are worth watching — one for its momentum, the other for its reputation and potential comeback story.
🔑 Main conclusions for 2025:
- Misconfigurations remain the main target: Threat actors continue to exploit missed SaaS misconfigurations, gaining access to critical systems and sensitive data. Regular audits, enforced MFA and credential rotation are important safeguards.
- Attacked identity infrastructure: Attackers use stolen credentials, API manipulation, and hidden escapes to bypass defenses. Credential leak monitoring, strict MFA enforcement, anomaly detection, and identity monitoring are critical to preventing breaches.
- Shadow IT and supply chain as entry points: Unauthorized SaaS applications and integration between applications create hidden vulnerabilities. Continuous monitoring, proactive surveillance, and automated remediation are essential to mitigate risk.
The foundation of a multi-layered SaaS security solution starts with automated continuous risk assessment and the integration of continuous monitoring tools into your security management.
This is not their last dance. Security teams must stay informed, vigilant, and prepare for another year of defending against the world’s most effective threats.
Don’t wait for the next breach.
Get your SaaS Security risk assessment today.
