Headline
Snowflake Account Attacks Driven by Exposed Legitimate Credentials
Credential management gets a boost with the latest infostealers’ extortion campaign built on info stolen from cloud storage systems.
Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo
COMMENTARY
Threat actors just pulled off one of the largest data breaches of 2024, and they didn’t even have to hack into the company’s environment. Their goal? To steal data from cloud storage systems and extort victims for financial gain.
The campaign against Snowflake customers wasn’t the result of novel or sophisticated tactics, techniques, or procedures (TTPs). Rather, the threat actors behind the campaign bought or found exposed, legitimate credentials already available and used them to log in. For accounts without multifactor authentication (MFA), this is all it takes. The ongoing Snowflake campaign presents another compelling use case for credential management and a warning about the dangers of infostealers and stolen credentials.
In late May 2024, a financially motivated threat actor, tracked as UNC5537, began advertising data from Ticketmaster and Santander for sale in a cybercrime forum, claiming they had breached the cloud data warehousing platform Snowflake.
Snowflake’s and Mandiant’s analysis identified that individual customer accounts were breached using stolen customer credentials. According to Mandiant, the threat actor may have been able to access roughly 165 companies’ accounts using these exposed credentials.
Key Takeaways
A few key takeaways:
The affected accounts weren’t configured with MFA. Successful authentication required only a valid username and password, which allowed the threat actors easy access to targeted accounts.
Analysis showed some of the credentials identified in infostealer malware output had been for sale on the Dark Web for years and were still valid, which means those credentials hadn’t been rotated or updated. Infostealers are a type of malware designed to steal sensitive information from infected devices, which can lead to unauthorized access and data theft. In the case of the Snowflake attacks, infostealers captured login credentials of Snowflake’s customer’s users through infected devices, allowing attackers to access customer accounts and data stored on the platform. Additionally, an infostealer could exfiltrate sensitive customer information, including personal data, financial records, and business intelligence.
The compromised Snowflake instances didn’t have network allow lists. Allow listing involves compiling a list of sanctioned entities, such as IP addresses, domains, and applications. Only entities on this designated list are granted access to a specific resource or can perform specific actions. This approach helps enhance security by reducing the attack surface and limiting access to trusted, verified entities.
Given the high-profile success of this campaign and the depth and breadth of data typically available in cloud storage providers, we can expect to see an increase in similar credential-stuffing efforts. Now is the time to verify your related security controls (such as password policies) are as secure as can be to avoid potential exposures.
How to Boost Defenses
How can you boost your defenses against these types of attacks?
Enable MFA. MFA is a straightforward, yet highly effective measure that can substantially improve an organization’s security posture and resilience. Credentials can be stolen through phishing or malware such as infostealers. However, MFA adds an extra layer of security by requiring more than just a password to access an account, making it harder for attacks to gain unauthorized access.
Manage your credentials. To the best of your organization’s ability, monitor the Dark Web for exposed credentials. This may be via a vendor, credit monitoring, or other avenues. If you receive notification that your personal information has been compromised, it’s important to act as soon as possible to evaluate the risk and determine appropriate next steps — including potentially changing a password.
Monitor for cyber campaigns targeting your vendors. Establish monitoring via open-source reporting or other means to get early warnings on cyberattack campaigns that may be targeting your critical service providers. Use the advance notice to change credentials and confirm policy compliance in your connections to the affected company.
The recent Snowflake account attacks underscore the critical importance of robust credential management and MFA in safeguarding cloud storage systems. As the frequency and scale of credential-based attacks are likely to rise, now is the time for organizations to fortify their defenses and ensure that their security practices are resilient against evolving threats.
About the Author(s)
Cyber Threat Intelligence Analyst, LastPass
Stephanie Schneider is passionate about raising awareness of cybersecurity challenges, blending strategic analysis with a deep understanding of how geopolitical trends influence current threats. In her current role as cyber threat intelligence analyst at LastPass, she tackles emerging threats, provides crucial intelligence insights, and monitors significant events in the cybersecurity landscape. Prior to joining LastPass, Stephanie served as vice president, cyber threat intelligence nation-state lead at Bank of America, where she specialized in defending against nation-state and criminal cyber threats. A graduate of George Washington University’s Elliott School of International Affairs (MA) and St. Edward’s University (BA), Stephanie currently lives in Washington, DC.