Good day, folks! Another week, another headline-grabbing security incident seems to be dominating the discussion. And I am not talking about Tim Weah’s testy red card vs. Panama, or whatever comes out of the debate tonight. I am talking about a slow boiling issue that impacts all of us. After the last month’s buildup, Snowflake is in the spotlight, but don’t be fooled – this isn’t just about one company’s identity problems, and it has ripples through many. Let’s dive into why Snowflake’s woes are a wake-up call for all of us, and what else it might mean for how we tackle
Snowflake’s Slippery Slope
Snowflake is a cloud data platform carrying over 20% of the business data out there, folks. It is massive – and the list of customers is equally impressive. Despite protecting most of their environment with multi-factor authentication (MFA), adversaries got their hands on stolen login credentials and used them to infiltrate customer accounts and pilfer sensitive data. The kicker? The attackers found ecosystem users with access to demo accounts and used an infostealer to cause a bunch of breaches in rapid succession. But here’s the thing – Snowflake isn’t the real issue. It’s just the canary in the coal mine for a much larger shift in the threat landscape.
We don’t yet know the exact mode of compromise here – there is a lot of conflicting information. What we know is that a BreachForums account called Sp1d3r is trying to sell thousands of Snowflake account credentials. And we have Mandiant publishing some insights about a financially-motivated actor called UNC5537. It turns out that the leak may have originated in service providers who assist customers with Snowflake, but do not work directly for the company. I think we know that this is concerning, but let’s take a look at why this is the focus.
Identity might actually matter than we want to admit
Over the past few decades, we’ve seen the criminal threat landscape coalesce into two categories ransomware/data extortion and then everything else. Everyone’s trying to grab a piece of that billion-dollar pie. Why? It is easy money. The stakes are very lopsided. What begins as a lark and requires relatively little effort for the adversary cripples and threatens the every extinction of the victim. The adversaries go where the money is. And ransom & extortion in cyberspace are easy money.
Cisco’s Talos is reporting that their Incident Response engagements are showing a disturbing trend. While ransomware still dominates, the initial access methods are diversifying. It used to be broad phishing campaigns or watering hole attacks. Now compromised legitimate credentials are becoming the golden ticket for malicious activities. And where are these credentials coming from? Let’s discuss that now.
Infostealers take the lead
Infostealers have grown into a crucial part of the dark web’s economy. They’re highly organized, and conduct widely distributed campaigns. Current infostealer groups hang out in Telegram chat rooms, selling credentials by the boatload. For a fee, actors can get timed access to a repository of credentials to search and use freely. It’s a small price to pay when a single set of enterprise credentials could lead to a multi-million-dollar ransom.
How do they do it? Infostealer groups typically deploy malware that automates the collection and exfiltration of anything worthwhile. Credential databases, sensitive information, crypto wallets, customer listings, and the like. Many – like Vidar, Duqu or Racoon Stealer – still use keyloggers. The goal is to collect anything potentially useful, and then decide later whether it is worthwhile. Or let the market decide.
Initial Access Brokers take that next step
Initial Access Brokers like UNC1878 and Exotic Lily are also a part of this trend, offering that next step – assured access. IABs might use infostealers of their own or credentials sold on the market to gain access. Either way, they are typically taking it that next step and actively running Command & Control and have Persistence. Either way, eager threat actors don’t have to go far to get these head starts. They just need some cryptocurrency and a dream.
Back to Snowflake’s case
Many enterprises have deployed MFA, but the application isn’t consistent. The focus has largely been on the enterprise domain itself. Snowflake apparently had solid MFA to protect identity almost everywhere, but like many organizations their power to enforce strong policies on 3rd party ecosystem vendors or contractors is limited.
With the rise of Software as a Service (SaaS), sensitive data is spread across multiple vendors around the globe. This creates many points of entry for attackers who, in 2024, might be more focused on data exfiltration than unauthorized encryption. We need to come up with more secure ways to allow collaboration on data. Snowflake isn’t unique here, and may be taking arrows for something that could have happened to any SaaS solution provider. We need to learn from this – so what can defenders do while we rethink our industry’s way of handling these cases?
- Protect critical data with MFA, wherever it’s housed.
- Conduct audits of all external data houses and ensure MFA is configured.
- Act on infostealer infections with urgency. Assume all credentials on an infected system have been compromised.
- Provide users with a vetted and trusted way to store passwords.
- For instances where MFA can’t be deployed, limit account access and increase scrutiny.
I hope this has been a helpful take on the Snowflake situation. Feel for those folks – by all accounts there wasn’t neglect or vulnerabilities here. But it illustrates the inter-dependencies across our economy and the information age.
Things I’m Keeping an Eye On
- Sometimes cyberattacks are just not enough – we should always remember state-sponsored adversaries will still resort to traditional, kinetic attacks. Count on Vlad to remind us.
- Apparently folks are still using MOVEit for file transfer? Yikes – another set of issues and critical vulnerabilities recently hit and sparked fears in this tool.
- We’ve seen TeamViewer used for years by adversaries as an alternative to RDP or VNC – not due to the company’s malfeasance, but the ease with which anyone can deploy it. What happens when the company who makes it is compromised?
- In a bid to re-enter the market with a splash, the threat actor and RaaS group Conti is rebranding itself as BlackSuit, and have begun hitting victims with a vengeance.
- A new threat actor Unfurling Hemlock is dropping the kitchen sink equivalent of malware on victims. In what is called a ‘malware cluster bomb’, a nested doll of badness is certainly offering options. While most threat actors have multiple paths and persistence plans in place, this takes it to an extreme.
Conclusion
The Snowflake predicament and identity exposures are a stark reminder that in 2024, protecting your data means more than just securing your own systems. As attackers continue to shift focus to data theft, it’s time for organizations to take an honest look at where their data is housed and what protections are in place. Otherwise, you might find your stolen data being sold to the highest bidder – even if that bidder is you. We as a security and systems industry need to come up with a new way of doing things 0 because this isn’t working.
Stay vigilant, folks, and remember: we’re all in this together. Have a great week, and be sure to comment below on the new focused approach!