Lessons from the Snowflake Attack

It appears, at least for now, the the breaches at the hosting provider Snowflake of 560 million users at Ticketmaster and 30 million accounts at Santander Bank among 163 or so other companies was not caused by an underlying weakness and resultant compromise of Snowflake’s systems.

This is not Snowflake saying this, it is Google Mandiant saying it, so that carries a whole lot more confidence.

So, what did happen.

Mandiant says that every incident they responded to associated with this attack campaign was traced back to ….. compromised user credentials…..

Mandiant says the attack started on April 14th and targeted accounts that did not have proper MFA.

They also said that some of the accounts were compromised years ago. (note: this is why monitoring the dark web is so important. If you find anything there you can respond before the credentials are sold. Contact us about dark web monitoring).

The credentials that they found were stolen by a variety of malware include Lumma, Meta, Racoon Stealer, Redline, Rispro and Vidar.

They also said that in addition to lacking MFA and using credentials that were stolen years ago, the compromised companies lacked network allow lists (meaning that the customer’s instance could only be accessed from approved networks).

Mandiant says that the hackers stole buckets of data and are having a fine time extorting those companies.

In addition to Ticketmaster and Santander, other companies potentially compromised due to poor security practices are Anheuser-Busch, Allstate, Advance Auto Parts, Mitsubishi, Neiman Marcus, Progressive and State Farm.

There are several simple lessons here. Companies that learn from these lessons are much less likely to be compromised. Need help? Please contact us. Credit: Security Week

by