COMMENTARY
Menace actors simply pulled off one of many largest knowledge breaches of 2024, and so they did not even need to hack into the corporate’s atmosphere. Their aim? To steal knowledge from cloud storage techniques and extort victims for monetary achieve.
The marketing campaign in opposition to Snowflake prospects wasn’t the results of novel or subtle ways, methods, or procedures (TTPs). Moderately, the risk actors behind the marketing campaign purchased or discovered uncovered, official credentials already obtainable and used them to log in. For accounts with out multifactor authentication (MFA), that is all it takes. The continued Snowflake marketing campaign presents one other compelling use case for credential administration and a warning in regards to the risks of infostealers and stolen credentials.
In late Could 2024, a financially motivated risk actor, tracked as UNC5537, started promoting knowledge from Ticketmaster and Santander on the market in a cybercrime discussion board, claiming that they had breached the cloud knowledge warehousing platform Snowflake.
Snowflake’s and Mandiant’s evaluation recognized that particular person buyer accounts had been breached utilizing stolen buyer credentials. In keeping with Mandiant, the risk actor might have been capable of entry roughly 165 firms’ accounts utilizing these uncovered credentials.
Key Takeaways
A number of key takeaways:
-
The affected accounts weren’t configured with MFA. Profitable authentication required solely a legitimate username and password, which allowed the risk actors quick access to focused accounts.
-
Evaluation confirmed a few of the credentials recognized in infostealer malware output had been on the market on the Darkish Internet for years and had been nonetheless legitimate, which implies these credentials hadn’t been rotated or up to date. Infostealers are a kind of malware designed to steal delicate info from contaminated units, which might result in unauthorized entry and knowledge theft. Within the case of the Snowflake assaults, infostealers captured login credentials of Snowflake’s buyer’s customers by contaminated units, permitting attackers to entry buyer accounts and knowledge saved on the platform. Moreover, an infostealer might exfiltrate delicate buyer info, together with private knowledge, monetary information, and enterprise intelligence.
-
The compromised Snowflake situations did not have community permit lists. Permit itemizing includes compiling a listing of sanctioned entities, akin to IP addresses, domains, and functions. Solely entities on this designated checklist are granted entry to a selected useful resource or can carry out particular actions. This strategy helps improve safety by decreasing the assault floor and limiting entry to trusted, verified entities.
Given the high-profile success of this marketing campaign and the depth and breadth of information sometimes obtainable in cloud storage suppliers, we will count on to see a rise in related credential-stuffing efforts. Now could be the time to confirm your associated safety controls (akin to password insurance policies) are as safe as could be to keep away from potential exposures.
The right way to Increase Defenses
How are you going to enhance your defenses in opposition to these kind of assaults?
-
Allow MFA. MFA is an easy, but extremely efficient measure that may considerably enhance a corporation’s safety posture and resilience. Credentials could be stolen by phishing or malware akin to infostealers. Nevertheless, MFA provides an additional layer of safety by requiring greater than only a password to entry an account, making it more durable for assaults to realize unauthorized entry.
-
Handle your credentials. To one of the best of your group’s means, monitor the Darkish Internet for uncovered credentials. This can be through a vendor, credit score monitoring, or different avenues. In the event you obtain notification that your private info has been compromised, it is necessary to behave as quickly as potential to judge the chance and decide acceptable subsequent steps — together with doubtlessly altering a password.
-
Monitor for cyber campaigns focusing on your distributors. Set up monitoring through open-source reporting or different means to get early warnings on cyberattack campaigns which may be focusing on your crucial service suppliers. Use the advance discover to alter credentials and ensure coverage compliance in your connections to the affected firm.
The latest Snowflake account assaults underscore the crucial significance of sturdy credential administration and MFA in safeguarding cloud storage techniques. Because the frequency and scale of credential-based assaults are more likely to rise, now could be the time for organizations to fortify their defenses and be sure that their safety practices are resilient in opposition to evolving threats.
_imageBROKER.com_GmbH_&_Co._KG_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop&description=Snowflake%20Account%20Attacks%20Driven%20by%20Exposed%20Legitimate%20Credentials){kind=link}