Snowflake’s customer breaches make 2024 the year of the identity siege

Identities are best-sellers on the dark web, proving to be the fuel that drives billions of dollars of fraud every year. Breaches on SantanderTicketMasterSnowflake, and most recently, Advanced Auto PartsLendingTree, and its subsidiary QuoteWizard show how quickly attackers refine their tradecraft to prey on organizations’ security weaknesses. TechCrunch has verified that hundreds of Snowflake customer passwords found online are linked to information-stealing malware. Snowflake’s decision to make multi-factor authentication (MFA) optional instead of required contributed in part to the siege of identities their breached customers are experiencing today.

Cybercrime gangs, organizations and nation-states are so confident in their ability to execute identity breaches that they’re allegedly interacting with cybercrime intelligence providers over Telegram to share the details. The latest incident that reflects this growing trend involves cybercrime intelligence provider Hudson Rock publishing a detailed blog post on May 31 detailing how threat actors successfully breached Snowflake, claiming to have had a Telegram conversation with the threat actor who also breached Santander Bank and TicketMaster.

Their blog post, since taken down, explained how the threat actor was able to sign into a Snowflake employee’s ServiceNow account using stolen credentials to bypass OKTA. Once inside Snowflake’s systems, the blog post alleges attackers generated session tokens that enabled them to move through Snowflake’s systems undetected and exfiltrate massive amounts of data.

Single-factor authentication is an attack magnet

Snowflake configures its platform with single-factor authentication by default. Their documentation states that “by default, MFA is not enabled for individual Snowflake users. If you wish to use MFA for a more secure login, you must enroll using the Snowflake web interface.” CrowdStrikeMandiant and Snowflake found evidence of a targeted campaign directed at users who have single-factor authentication enabled. According to a June 2nd community forum update, threat actors are “leveraging credentials previously purchased or obtained through infostealing malware.” CISA has also issued an alert for all Snowflake customers.

Snowflake, CrowdStrike and Mandiant found that the attackers had obtained a former Snowflake employee’s personal credentials to access demo accounts. The demo accounts didn’t contain sensitive data and weren’t connected to Snowflake’s production or corporate systems. Access happened because the demo account was not behind Okta or Multi-Factor Authentication (MFA), unlike Snowflake’s corporate and production systems. Snowflake’s latest community forum update claims there’s no evidence suggesting the customer breaches are caused by a vulnerability, misconfiguration or breach of Snowflake’s platform.

Tens of millions are facing an identity security nightmare

Up to 30 million Santander banking customers’ credit card and personal data were exfiltrated in one of the largest breaches in the bank’s history. Five hundred sixty million TicketMaster customers also had their data exfiltrated during a separate breach targeting the entertainment conglomerate. The stolen data set includes customer names, addresses, emails, phone numbers, and credit card details. Threat actors ShinyHunters took to the revived BreachForums hacking forum the FBI had previously shut down, offering 560 million TicketMaster customers’ data for $500,000…

Read full source: VentureBeat

By Louis Columbus