{"id":4486,"date":"2024-07-17T09:00:00","date_gmt":"2024-07-17T14:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/threat-intelligence\/snowflake-account-attacks-driven-by-exposed-legitimate-credentials"},"modified":"2024-07-17T09:00:00","modified_gmt":"2024-07-17T14:00:00","slug":"snowflake-account-attacks-driven-by-exposed-legitimate-credentials","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/07\/17\/snowflake-account-attacks-driven-by-exposed-legitimate-credentials\/","title":{"rendered":"Snowflake Account Attacks Driven by Exposed Legitimate Credentials"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

COMMENTARY<\/span><\/span><\/p>\n

Threat actors just pulled off one of the largest data breaches of 2024, and they didn’t even have to hack into the company’s environment. Their goal? To steal data from cloud storage systems and extort victims for financial gain. <\/span><\/p>\n

The campaign against <\/span>Snowflake<\/a><\/span> customers wasn’t the result of novel or sophisticated tactics, techniques, or procedures (TTPs). Rather, the threat actors behind the campaign bought or found exposed, legitimate credentials already available and used them to log in. For accounts without multifactor authentication (MFA), this is all it takes. The ongoing <\/span>Snowflake campaign<\/a><\/span> presents another compelling use case for credential management and a warning about the dangers of infostealers and stolen credentials.<\/span><\/p>\n

In late May 2024, a financially motivated threat actor, tracked as UNC5537, began advertising data from Ticketmaster and Santander for sale in a cybercrime forum, claiming they had breached the <\/span>cloud data warehousing platform Snowflake<\/a><\/span>.<\/span><\/p>\n

Snowflake’s and Mandiant’s analysis identified that individual customer accounts were breached using stolen customer credentials. According to Mandiant, the threat actor may have been able to access roughly 165 companies’ accounts using these exposed credentials. <\/span><\/p>\n

Key Takeaways<\/h2>\n

A few key takeaways:<\/span><\/p>\n

\n
    \n
  1. \n
    <\/span><\/p>\n
    \n

    The affected accounts weren’t configured with MFA. Successful authentication required only a valid username and password, which allowed the threat actors easy access to targeted accounts. <\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n

  2. \n
    <\/span><\/p>\n
    \n

    Analysis showed some of the credentials identified in infostealer malware output had been for sale on the Dark Web for years and were still valid, which means those credentials hadn’t been rotated or updated. Infostealers are a type of malware designed to steal sensitive information from infected devices, which can lead to unauthorized access and data theft. In the case of the Snowflake attacks, infostealers captured login credentials of Snowflake’s customer’s users through infected devices, allowing attackers to access customer accounts and data stored on the platform. Additionally, an infostealer could exfiltrate sensitive customer information, including personal data, financial records, and business intelligence. <\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n

  3. \n
    <\/span><\/p>\n
    \n

    The compromised Snowflake instances didn’t have network allow lists. Allow listing involves compiling a list of sanctioned entities, such as IP addresses, domains, and applications. Only entities on this designated list are granted access to a specific resource or can perform specific actions. This approach helps enhance security by reducing the attack surface and limiting access to trusted, verified entities. <\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<\/ol>\n<\/div>\n

    Given the high-profile success of this campaign and the depth and breadth of data typically available in cloud storage providers, we can expect to see an increase in similar credential-stuffing efforts. Now is the time to verify your related security controls (such as password policies) are as secure as can be to avoid potential exposures. <\/span><\/p>\n

    How to Boost Defenses<\/h2>\n

    How can you boost your defenses against these types of attacks? <\/span><\/p>\n

    \n