Snowflake’s buyer breaches make 2024 the 12 months of the identification siege

Identities are best-sellers on the darkish internet, proving to be the gas that drives billions of {dollars} of fraud yearly. Breaches on SantanderTicketMasterSnowflake, and most lately, Advanced Auto PartsLendingTree, and its subsidiary QuoteWizard present how shortly attackers refine their tradecraft to prey on organizations’ safety weaknesses. TechCrunch has verified that a whole bunch of Snowflake buyer passwords discovered on-line are linked to information-stealing malware. Snowflake’s determination to make multi-factor authentication (MFA) non-compulsory as a substitute of required contributed partly to the siege of identities their breached clients are experiencing at present.

Cybercrime gangs, organizations and nation-states are so assured of their capability to execute identification breaches that they’re allegedly interacting with cybercrime intelligence suppliers over Telegram to share the small print. The newest incident that displays this rising development entails cybercrime intelligence supplier Hudson Rock publishing an in depth weblog publish on Could 31 detailing how risk actors efficiently breached Snowflake, claiming to have had a Telegram dialog with the risk actor who additionally breached Santander Financial institution and TicketMaster.

Their weblog publish, since taken down, defined how the risk actor was capable of signal right into a Snowflake worker’s ServiceNow account utilizing stolen credentials to bypass OKTA. As soon as inside Snowflake’s programs, the weblog publish alleges attackers generated session tokens that enabled them to maneuver by Snowflake’s programs undetected and exfiltrate large quantities of knowledge.

Single-factor authentication is an assault magnet

Snowflake configures its platform with single-factor authentication by default. Their documentation states that “by default, MFA shouldn’t be enabled for particular person Snowflake customers. Should you want to use MFA for a safer login, you have to enroll utilizing the Snowflake internet interface.” CrowdStrikeMandiant and Snowflake discovered proof of a focused marketing campaign directed at customers who’ve single-factor authentication enabled. In line with a June 2nd community forum update, risk actors are “leveraging credentials beforehand bought or obtained by infostealing malware.” CISA has additionally issued an alert for all Snowflake clients.

Snowflake, CrowdStrike and Mandiant discovered that the attackers had obtained a former Snowflake worker’s private credentials to entry demo accounts. The demo accounts didn’t include delicate knowledge and weren’t linked to Snowflake’s manufacturing or company programs. Entry occurred as a result of the demo account was not behind Okta or Multi-Issue Authentication (MFA), not like Snowflake’s company and manufacturing programs. Snowflake’s newest group discussion board replace claims there’s no proof suggesting the client breaches are brought on by a vulnerability, misconfiguration or breach of Snowflake’s platform.

Tens of tens of millions are going through an identification safety nightmare

As much as 30 million Santander banking clients’ bank card and private knowledge have been exfiltrated in one of many largest breaches within the financial institution’s historical past. Five hundred sixty million TicketMaster customers additionally had their knowledge exfiltrated throughout a separate breach concentrating on the leisure conglomerate. The stolen knowledge set consists of buyer names, addresses, emails, telephone numbers, and bank card particulars. Risk actors ShinyHunters took to the revived BreachForums hacking discussion board the FBI had beforehand shut down, providing 560 million TicketMaster clients’ knowledge for $500,000…

Learn full supply: VentureBeat

By Louis Columbus