In a recent data breach, threat actors targeted customers of Snowflake, a cloud data warehousing platform, without resorting to advanced hacking techniques. Instead, they exploited exposed, legitimate credentials to access accounts and ultimately steal data for extortion purposes. This incident underscores the vulnerabilities associated with credential management and the risks posed by infostealers and stolen credentials. Snowflake may be one of the biggest breaches of 2024, yet we still don’t know the full extent of the impact or how many companies have been affected.
In late May, a financially motivated threat actor known as UNC5537 advertised data allegedly obtained from major companies like Ticketmaster and Santander on a cybercrime forum, claiming these breaches were facilitated through access to Snowflake. Several companies were not aware they had been compromised with infostealers, so their credentials were available on the dark web. According to analysis done by Snowflake and cybersecurity firm Mandiant, the threat actors accessed individual customer accounts by leveraging these stolen credentials. One critical factor that enabled the breach was the lack of multifactor authentication (MFA) on the affected accounts. Without MFA, logging in with legitimate credentials is often sufficient to gain unauthorized access.
Mandiant's investigation estimated that the threat actors could have accessed the accounts of approximately 165 companies using these compromised credentials. While victims from the breach will continue to come out, we have seen some major impacts so far. Some of the biggest victims to date include Advance Auto Parts, Ticketmaster’s Live Nation, Santander, Lending Tree, and most recently AT&T.
This breach emphasizes the ongoing threat posed by infostealers and the ease with which attackers can exploit weak security measures. Organizations are urged to enhance their security protocols, particularly by implementing MFA, ensuring vigilant credential management, and monitoring for cyber campaigns targeting vendors to safeguard against similar attacks in the future.
So far this year, there have been several simple password spraying or credential harvesting type attacks that have led to massive impacts. These incidents highlight the cyber threats around how exposed credentials can significantly elevate threats to enterprises of all sizes.
Read more in our commentary here: https://www.darkreading.com/threat-intelligence/snowflake-account-attacks-driven-by-exposed-legitimate-credentials.