June 10, 2024 at 05:48PM
Mandiant’s investigation confirmed that recent account compromises at Snowflake were due to customers’ failure to implement multifactor authentication (MFA) and access control. Attackers systematically accessed accounts using stolen credentials obtained elsewhere. Compromised accounts’ data was extorted or sold on cybercrime forums. MFA implementation and stronger authentication methods are recommended to prevent such compromises.
Here are the key takeaways from the meeting notes:
1. Account compromises at Snowflake were caused by a failure to implement multifactor authentication (MFA) and proper access control by customers.
2. UNC5537, a financially motivated threat actor, systematically accessed accounts of at least 165 Snowflake customers using valid account credentials obtained elsewhere.
3. Compromised credentials were the sole factor leading to unauthorized access, rather than a breach of Snowflake’s enterprise environment.
4. Many compromised credentials were obtained from spy Trojans installed on contractor systems and were available for sale on the Dark Web.
5. Some compromised credentials had not been rotated for several years, indicating a lack of regular credential updates.
6. The compromised accounts did not require MFA, and network allow lists were not used to limit access to trusted locations.
7. Mandiant recommends implementing MFA and best practices such as using zero-trust models and limited allow lists to control access to cloud data.
8. The compromised Snowflake accounts likely made an attractive target due to the valuable and sensitive information they store.
9. The compromised accounts were used for extortion or sold through underground forums.
10. The threat actor also targeted non-Snowflake customers over at least the past six months.
11. Security experts emphasize the need to move past relying solely on passwords and implement stronger forms of authentication, as well as to monitor for credential stuffing and implement two-factor authentication.
Please let me know if there is anything else you would like to discuss or any further assistance you need based on the meeting notes.