_imageBROKER.com_GmbH_&_Co._KG_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop "Snowflake Account Attacks Stemming from Publicly Exposed Legitimate Credentials")
_imageBROKER.com_GmbH_&_Co._KG_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop&description=Snowflake+Account+Attacks+Stemming+from+Publicly+Exposed+Legitimate+Credentials){kind=link}
In a recent cyber attack, threat actors successfully orchestrated one of the most significant data breaches of 2024 without even having to hack into the targeted company’s environment. Their objective? To pilfer data from cloud storage systems and then extort the victims for financial gain.
The assault on Snowflake customers wasn’t a display of innovative or intricate tactics, techniques, or procedures (TTPs). Instead, the threat actors involved in the operation either purchased or stumbled upon exposed, legitimate credentials that were readily available, utilizing them to gain unauthorized access. For accounts lacking multifactor authentication (MFA), this simple method proved sufficient. The ongoing Snowflake campaign serves as yet another potent example of the importance of credential management and serves as a stark reminder of the perils associated with infostealers and stolen credentials.
Beginning in late May 2024, a financially motivated threat actor, known as UNC5537, began advertising the sale of data obtained from Ticketmaster and Santander, claiming they had successfully breached the cloud data warehousing platform Snowflake.
Analyses conducted by Snowflake and Mandiant revealed that individual customer accounts were compromised through the utilization of pilfered customer credentials. Mandiant estimates that the threat actor gained access to approximately 165 companies’ accounts by exploiting these exposed credentials.
Several key takeaways from the breach shed light on the vulnerabilities exploited by the threat actors. The lack of multifactor authentication on affected accounts made them susceptible to unauthorized access with just a valid username and password. Furthermore, findings indicated that certain credentials identified in infostealer malware output had been accessible on the Dark Web for extended periods, highlighting the necessity for regular credential rotation and updates. Additionally, compromised Snowflake instances were found to lack network allow lists, further emphasizing the importance of this security measure in mitigating risks.
Given the success and impact of these attacks, it is anticipated that similar credential-stuffing endeavors will proliferate in the future, targeting cloud storage providers due to the vast amount of data they house. Consequently, organizations are advised to review and reinforce their security controls, such as password policies, to avert potential vulnerabilities and exposures.
To enhance defenses against such attacks, organizations are encouraged to implement multifactor authentication and diligently monitor their credentials for any signs of compromise. Establishing protocols to monitor cyber campaigns targeting crucial service providers can provide early warnings and facilitate timely action to mitigate risks.
The recent wave of attacks on Snowflake accounts underscores the critical importance of robust credential management and multifactor authentication in shielding cloud storage systems. As the frequency and sophistication of credential-based attacks continue to escalate, organizations are urged to bolster their security measures and ensure their defenses are resilient against evolving threats.