The Case of SailPoint Built in Admin Accounts: Full Tenant Access Granted
What do these three attacks– the Snowflake breach, the Okta breach, and the Microsoft Midnight Blizzard attack–have in common? A threat actor broke in through a SaaS provider environment that wasn't protected with MFA and used that to gain a foothold into other organizations that were using that application. This underscores an important trend: threat actors are shifting their tactics away from direct attacks on businesses and instead targeting third-party vendors as an entry point.
SaaS is the achilles heel of organizations. With so many apps, app-to-app connections, permissions, and a lack of centralized controls, SaaS ecosystems are almost certainly goldmines for bad guys looking to exploit weaknesses in order to exfiltrate data or encrypt it and hold it for ransom.
No vendor is safe. While many of these vendors allow their customers to enable controls to prevent unauthorized access, like Microsoft Lockbox, how can you know for sure the vendor is maintaining access to your tenant securely? Who rotates the keys? Who owns them and ensures they’re secured? Hell, does the vendor have an internal “Just In Time Access” process?
Along with the potentialities of poor security hygiene on the part of your vendors, there are other risks that often come with vendor relationships. One example of this is the existence of backdoor admin accounts into your tenant that are maintained by your vendors. These backdoor accounts are used to provide support to customers, but they introduce risks and, if misused or compromised, can lead to data exposure.
The Case of SailPoint’s Built-In Admin Accounts
SailPoint, a leading identity provider, includes two built-in organizational admin accounts, slpt.services
and slpt.support
, within its SaaS solution. These accounts are used to provide customer support and ensure smooth operations. While these accounts are designed with good intentions, they introduce potential risks:
- Initial Access Without Consent:
- For the first six months after integration, these accounts can access an organization’s tenant without requiring explicit consent.
- This unrestricted access aims to facilitate onboarding and troubleshooting, but it also means that administrators might not even be aware of these backdoor entries.
- Consent Requirement After Six Months:
- After the initial period, SailPoint requires explicit consent from the organization before accessing its tenant.
- While this is a positive step, the accounts still exist, and their presence continues to pose a potential risk if compromised or exploited.
The Risks of Backdoor Admin Accounts
While built-in admin accounts may serve operational purposes, their existence creates vulnerabilities that organizations should not overlook:
- Potential for Compromise:
- If the credentials for these accounts are compromised—whether through phishing, brute force, or other means—an attacker could gain unrestricted access to the tenant.
- Given the Org–OWNER permissions of these accounts, this could lead to exposure of sensitive data, configuration changes, or worse.
- Abuse of Privileged Access:
- These accounts could be abused by internal or external actors, either intentionally or unintentionally, to access sensitive organizational data.
- Without adequate monitoring, unauthorized activity might go undetected for extended periods.
- Lack of Transparency:
- Many organizations may be unaware that these accounts exist, leaving them blind to potential risks.
- Without visibility into how and when these accounts are used, organizations cannot ensure their data is fully protected.
How Reco Can Help
Reco is designed to provide organizations with the visibility and control needed to address potential risks like those posed by backdoor admin accounts. With specific posture checks and alerts, Reco can help safeguard your SaaS environment from unauthorized access or abuse of built-in accounts, such as slpt.services
and slpt.support
in SailPoint.
1. Proactive Monitoring of Admin Accounts
Reco continuously monitors the activity of built-in admin accounts to detect any unusual behavior. By providing real-time visibility into when and how these accounts are being accessed, Reco ensures organizations can identify potential abuse before it leads to a breach.
- Alerts are triggered for suspicious activities such as:
- Access from unusual locations or devices.
- Login attempts outside business hours.
- Actions inconsistent with the account's intended purpose.
2. Posture Checks for Built-In Accounts
Reco’s security posture management identifies and assesses risks associated with built-in accounts. This includes ensuring these accounts are configured securely and are not being misused.
- Key posture checks include:
- Ensuring multi-factor authentication (MFA) is enforced for these accounts.
- Identifying unnecessary permissions or overly broad access.
- Highlighting any changes to account configurations that might indicate tampering.
3. Automated Alerts for Abuse Attempts
When an account such as slpt.services
or slpt.support
is used in a way that deviates from expected behavior, Reco immediately notifies the appropriate security teams. These alerts enable swift action, whether it’s revoking access, locking the account, or investigating further. (See Figure 1)
The Bottom Line
The presence of backdoor admin accounts in SaaS integrations like SailPoint highlights a broader issue: the trade-off between convenience and security. While these accounts can facilitate smooth operations and speedy customer service, they also create another potential attack vector for your organization.
Organizations must demand transparency from their SaaS providers while implementing robust internal controls and tools, like Reco, to mitigate the risks.
Get a demo of Reco here.
Request a demo and explore Reco in action
ABOUT THE AUTHOR
Dvir Sasson
Dvir is the Director of Security Research Director, where he contributes a vast array of cybersecurity expertise gained over a decade in both offensive and defensive capacities. His areas of specialization include red team operations, incident response, security operations, governance, security research, threat intelligence, and safeguarding cloud environments. With certifications in CISSP and OSCP, Dvir is passionate about problem-solving, developing automation scripts in PowerShell and Python, and delving into the mechanics of breaking things.
Dvir is the Director of Security Research Director, where he contributes a vast array of cybersecurity expertise gained over a decade in both offensive and defensive capacities. His areas of specialization include red team operations, incident response, security operations, governance, security research, threat intelligence, and safeguarding cloud environments. With certifications in CISSP and OSCP, Dvir is passionate about problem-solving, developing automation scripts in PowerShell and Python, and delving into the mechanics of breaking things.