A Mandiant investigation of recent account compromises at Snowflake, a data warehousing platform, has confirmed that all of them resulted from a failure by customers to implement multifactor authentication (MFA) and proper access control to their accounts.
According to Mandiant, part of Google Cloud, a financially motivated threat actor that it is tracking as UNC5537 appears to have systematically accessed accounts belonging to at least 165 Snowflake customers, using valid account credentials obtained from elsewhere.
Compromised Credentials the Sole Factor
The attacker has stolen data from the accounts and has either attempted to extort victims with it or has made the data available for sale on cybercrime forums. Though Mandiant has not named any victims, other security vendors have identified Ticketmaster and Santander Bank as being among the many victims of the massive campaign.
“Mandiant’s investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake’s enterprise environment,” the security vendor said. “Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials.”
Mandiant has assessed that UNC5537 aggregated credentials for Snowflake accounts from multiple previous information stealer campaigns. In several incidents that Mandiant investigated, the credentials that the threat actor used to access Snowflake customer accounts were obtained from spy Trojans installed on contractor systems. Such credentials are often available for sale and for free on the Dark Web and multiple other sources, Mandiant said.
Significantly, many of the credentials that UNC5537 used to access Snowflake accounts haven’t been rotated in at least a couple of years. In one instance, the threat actor leveraged a credential from a November 2020 information stealer campaign to access the associated Snowflake account, meaning the victim had not updated that credential for the past four years at least.
“UNC5537’s campaign against Snowflake customer instances is not the result of any particularly novel or sophisticated tool, technique, or procedure,” Mandiant stressed. “The affected customer instances did not require MFA, and in many cases, the credentials had not been rotated for as long as four years. Network allow lists were also not used to limit access to trusted locations.”
The Growing Information-Stealer Threat
Mandiant’s findings are another reminder of the enormous and growing exposure to organization from credential theft, and the booming market for information stealers. In recent years, the trend has heightened calls from security experts about the need for organizations to implement MFA and best practices like using zero-trust models and limited allow lists to control access to data in the cloud.
“Mandiant assesses MFA would have prevented compromise of Snowflake accounts in this campaign,” says Austin Larsen, senior threat analyst at Mandiant. “Mandiant has not identified evidence of the actor being able to bypass MFA” in any of the observed incidents.
Larsen says Snowflake’s status as a multicloud data warehousing platform that organizations use to store and analyze large amounts of structured and unstructured data, likely made it a good target for the attackers. “Often these databases contain valuable and sensitive information, which is an attractive target for financially motivated actors,” he says. “This increases the likelihood of the threat actor monetizing this data via extortion and/or sale through underground forums.”
Interestingly, while the compromise of Snowflake accounts has received a lot of attention, Mandiant has identified non-Snowflake customers as well that UNC5537 has targeted going back at least six months, Larsen adds.
Jason Soroko, senior vice president of product at Sectigo, says that while Mandiant’s Snowflake findings should be on billboards, the message itself has been repeated a countless number of times, continuing to fall on deaf ears.
“We must implement stronger forms of authentication than passwords and move past even needing MFA,” he says. “We have already learned these lessons many times. We have also heard the excuses why doing this is so difficult. Nothing will change until the will to do the right thing exists.”
Julianna Lamb, chief technology officer and co-founder of Stytch, says companies that continue using passwords as a form of authentication need to ensure proper controls over their use. This means not permitting password reuse and by making it was easy as possible for users to generate string passwords.
She also recommends that organizations monitor sites such as HaveIBeenPwned’s database to ensure that users aren’t using a breached password. “It’s also important to invest in multiple layers of protection beyond passwords, such as bot prevention measures to identify when bots are on-site and being used for credential stuffing, and implementing two-factor authentication.”
Source: www.darkreading.com