Jump to content
  • Sign Up
×
×
  • Create New...
New feature: 1 Vote = 0.10€ for server Owner!

Major breaches allegedly caused by unsecured Snowflake accounts

Pelican Press

By Pelican Press,
in World News

 Share

Recommended Posts

  • Diamond Member
Pelican Press Warlord

Pelican Press 0

Posted
  • Diamond Member
Posted



Major breaches allegedly caused by unsecured Snowflake accounts

Significant data breaches at online ticketing platform Ticketmaster and consumer bank Santander appear to be linked to the ****** of unsecured accounts held with cloud data management platform

This is the hidden content, please
, it has emerged over the past few days.

The Ticketmaster breach –

This is the hidden content, please
by parent organisation Live Nation – saw the personal details of over 550 million customers stolen, including names, addresses, phone numbers and some credit card details.

This is the hidden content, please
has seen the data of customers in Spain and ****** America stolen, as well as personal information on some previous and all current employees of the bank, numbering 200,000 people worldwide and about 20,000 in the ***.

Both incidents have been claimed by a group known as ShinyHunters – which also operated the BreachForums site that was recently taken down by police but appears to still be operating with impunity. The cyber ********** are demanding a half-a-million dollar ransom from Ticketmaster and two million dollars from Santander.

Although Snowflake was not explicitly named by either organisation, the firm confirmed it was investigating a “targeted threat campaign” against customer accounts, with assistance from CrowdStrike and Mandiant.

This is the hidden content, please
, Snowflake said: “We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration or breach of Snowflake’s platform. We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel.

“This appears to be a targeted campaign directed at users with single-factor authentication. As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware.”

Personal credentials

It additionally confirmed it had found some evidence that a threat actor had obtained personal credentials and accessed demo accounts belonging to a former Snowflake employee, which were not protected by its Okta or multi-factor authentication (MFA) services, but that these accounts were not connected to its production or corporate systems and did not contain any sensitive information.

Snowflake is recommending its customers immediately implement MFA, establish network policy rules to only allow authorised users or traffic from trusted locations, and reset and rotate their credentials. More information, including indicators of compromise,

This is the hidden content, please
.

Disputed claims

Based on Snowflake’s testimony, the issues would appear to have been caused by cyber security failings at its customers. However, its version of events is

This is the hidden content, please
with other information that has been coming to light over the past few days, much of it contained in a since-deleted blog –
This is the hidden content, please
– posted by researchers at Hudson Rock.

Based on a conversation with someone claiming to be a ShinyHunters insider, Hudson Rock said its researchers were told that contrary to Snowflake’s version, the attackers had actually accessed a Snowflake employee’s ServiceNow account using stolen credentials, bypassing Okta protections and generating session tokens that enabled them to steal its customers’ data directly from Snowflake’s systems.

The threat actor shared information suggesting that at least 400 customers had been compromised through its access, and appeared to suggest they had been looking for a payoff from Snowflake rather than its customers – although it’s important to remember it’s never wise to trust the word of a cyber ********* or take their claims at face value.

Identity the vector

Although not a classic example of a supply chain ******* – per Snowflake’s reading of events – the incidents at Ticketmaster and Santander hold much in common with other supply chain attacks, including the use of identity compromises as an access vector.

“This year, we have seen a sequence of breaches that have affected major software-as-a-service [SaaS] vendors, such as

This is the hidden content, please
, Okta, and now Snowflake,” said Glenn Chisholm, co-founder and chief product officer of
This is the hidden content, please
.

“The commonality across these breaches is identity; the attackers are not breaking in, they are logging in,” he said. “In incident response engagements we have seen through partners like CrowdStrike, we see SaaS breaches often starting with identity compromises – in fact, 82% of SaaS breaches stem from identity compromises such as spear phishing, token theft and reuse, helpdesk social engineering, etcetera. This includes user identities as well as non-human (application) identities.”

The lessons for users are clear, said Chisholm. SaaS is a highly targeted space with multiple attacks occurring across the spectrum, from nation state attackers to financially motivated hackers such as ShinyHunters. As such, every company using SaaS products needs to implement a SaaS security programme, or review their existing ones.

“Ensure the correct application posture to minimise risk, protect their identities which form the perimeter of your SaaS applications, and secure their data movement,” said Chisholm. “These must be a continuous programme since your applications evolve, configurations change, identities get introduced and attackers change their patterns. In other words, you need automation to scale this across all your SaaS applications.”

Toby Lewis, head of threat analysis at

This is the hidden content, please
, said that even if no Snowflake systems were directly compromised, the supplier could still have done more to prevent the attacks on its customers.

“Cloud providers should encourage better security practices, such as mandatory MFA, even without explicit requirements on them to do so under the shared responsibility model,” said Lewis.

“In essence, it becomes a differentiator when weighing up different cloud providers – pick the one that has secure-by-default practices to enhance overall security.”





This is the hidden content, please

#Major #breaches #allegedly #caused #unsecured #Snowflake #accounts

This is the hidden content, please

0

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Vote for the server

    To vote for this server you must login.

    Jim Carrey Flirting GIF

  • Recently Browsing   0 members

    • No registered users viewing this page.

Important Information

Privacy Notice: We utilize cookies to optimize your browsing experience and analyze website traffic. By consenting, you acknowledge and agree to our Cookie Policy, ensuring your privacy preferences are respected.

  I accept