A recent investigation by Mandiant into a series of account compromises at Snowflake, a popular data warehousing platform, has revealed that the root cause of these breaches was the failure of customers to implement multifactor authentication (MFA) and proper access controls. Mandiant, a division of Google Cloud, has identified a financially motivated threat actor known as UNC5537 as the culprit behind the systematic access of accounts belonging to at least 165 Snowflake customers.

According to Mandiant, UNC5537 had been able to infiltrate these accounts by obtaining valid credentials from various sources and then using them to steal data, which was subsequently either used for extortion purposes or put up for sale on underground cybercrime forums. While specific victims have not been named by Mandiant, other security vendors have recognized Ticketmaster and Santander Bank among the many entities impacted by this extensive campaign.

Mandiant’s investigation has led to the conclusion that the compromised customer credentials were not the result of any breach in Snowflake’s enterprise environment but rather stemmed from previous information stealer campaigns. Specifically, credentials used by the threat actor to access Snowflake accounts were gathered from spy Trojans installed on contractor systems. These credentials, readily available on the Dark Web and other sources, had not been rotated for years in some cases, making them vulnerable to exploitation.

It is crucial to note that UNC5537’s attack on Snowflake customer instances was not executed through sophisticated methods but rather by exploiting the absence of MFA, infrequent credential rotations, and the lack of network allow lists to constrain access to trusted locations. This lack of security measures has paved the way for credential theft, highlighting the urgent need for organizations to take proactive steps to safeguard their data.

Mandiant’s findings underscore the escalating threat posed by information stealers and the pressing need for organizations to fortify their defenses against credential theft. Security experts have emphasized the significance of implementing MFA, adopting zero-trust models, and employing restricted access controls to mitigate the risk of unauthorized data access in cloud environments.

Austin Larsen, a senior threat analyst at Mandiant, asserts that the implementation of MFA could have averted the compromise of Snowflake accounts in this campaign, as there is no evidence suggesting that the threat actor was able to circumvent MFA protections. Larsen explains that Snowflake’s role as a multicloud data warehousing platform storing vast amounts of sensitive information makes it an attractive target for financially motivated actors seeking to exploit valuable data through extortion or sale on illicit platforms.

Despite the focus on Snowflake accounts, Mandiant has identified additional targets of UNC5537 beyond the platform, indicating a broader scope of the threat actor’s activities over the past six months. Industry experts like Jason Soroko, senior vice president of product at Sectigo, stress the importance of moving beyond traditional password-based authentication methods and enforcing stronger security measures to combat evolving cyber threats effectively.

Julianna Lamb, chief technology officer and co-founder of Stytch, emphasizes the need for companies to implement stringent controls over password usage, including preventing reuse and encouraging the creation of robust passwords. Lamb also recommends monitoring databases like HaveIBeenPwned to identify compromised passwords and investing in additional security layers such as bot prevention mechanisms and two-factor authentication to enhance overall protection.

In conclusion, the Snowflake account compromises serve as a stark reminder of the critical role played by robust security practices, including MFA and proactive credential management, in safeguarding sensitive data and thwarting the persistent threat of cyber attacks in an increasingly digital landscape. It is imperative for organizations to prioritize cybersecurity measures to stay ahead of malicious actors and protect their assets effectively.

Source link