惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google DeepMind News
Google DeepMind News
Stack Overflow Blog
Stack Overflow Blog
Hugging Face - Blog
Hugging Face - Blog
博客园_首页
T
The Blog of Author Tim Ferriss
博客园 - 叶小钗
N
Netflix TechBlog - Medium
腾讯CDC
C
Check Point Blog
P
Proofpoint News Feed
Engineering at Meta
Engineering at Meta
GbyAI
GbyAI
S
SegmentFault 最新的问题
F
Fortinet All Blogs
美团技术团队
U
Unit 42
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园 - 司徒正美
F
Full Disclosure
Recorded Future
Recorded Future
D
DataBreaches.Net
博客园 - 【当耐特】
Martin Fowler
Martin Fowler
J
Java Code Geeks
I
InfoQ
Y
Y Combinator Blog
A
About on SuperTechFans
AI
AI
爱范儿
爱范儿
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Forbes - Security
Forbes - Security
W
WeLiveSecurity
M
MIT News - Artificial intelligence
雷峰网
雷峰网
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Simon Willison's Weblog
Simon Willison's Weblog
Schneier on Security
Schneier on Security
The GitHub Blog
The GitHub Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
aimingoo的专栏
aimingoo的专栏
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
G
GRAHAM CLULEY
Know Your Adversary
Know Your Adversary
Latest news
Latest news
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
D
Docker
Recent Commits to openclaw:main
Recent Commits to openclaw:main
量子位
V2EX - 技术
V2EX - 技术
Project Zero
Project Zero

Breaches – ThreatDown by Malwarebytes

Ransomware drives healthcare provider into administration Ticketmaster, Santander Bank breaches linked to Snowflake hack, threat actor claims K-12 district hit with $500k Medusa ransomware attack Comcast’s Xfinity breached by Citrix Bleed; 36 million customer’s data accessed MongoDB warns customers about data breach after cyberattack State of Maine data breach impacts 1.3 million people Okta breach happened after employee logged into personal Google account - ThreatDown by Malwarebytes Medical research data Advarra stolen after SIM swap 1Password reports security incident after breach at Okta
Snowflake “breach” looks like 165 individual incidents
Pieter Arntz · 2024-06-12 · via Breaches – ThreatDown by Malwarebytes
Snowflake logo

After an investigation, Snowflake has concluded that recent data leaks were not caused by a vulnerability or breach of its systems.

Cloud services provider Snowflake has posted information on its forums about “a targeted threat campaign against some Snowflake customer accounts,” in which the company maintains that this activity was not caused by a vulnerability, misconfiguration, or breach of its product.

For details, Snowflake points to research by Google’s Mandiant, which found that one cybercriminal obtained access to multiple organizations’ Snowflake customer instances using stolen customer credentials.

Mandiant identified that the threat actor used Snowflake customer credentials that were previously exposed via several infostealer malware variants, including VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER. These credentials were primarily obtained from infected non-Snowflake owned systems. It says it’s identified hundreds of customer Snowflake credentials that were obtained this way since 2020.

Another remarkable fact the analysis mentions is that in several cases, the initial compromise with the infostealer malware occurred on contractor systems that were also used for personal activities, including gaming and downloads of pirated software.

Mandiant attributes the attacks to a financially motivated group it calls UNC5537. We think it’s likely that this group is represented by the data seller posting under the handle Sp1d3r, which we have seen offering data sets for sale that are associated with the campaign targeting Snowflake customers.

The investigation’s preliminary findings are:

  • Threat actors used credentials purchased or obtained through info-stealing malware.
  • It appears to be a targeted campaign directed at users with single-factor authentication.
  • It wasn’t a vulnerability, misconfiguration, or breach of Snowflake’s platform.
  • It didn’t use credentials taken from current or former Snowflake personnel.
  • A threat actor did use a former Snowflake employee’s personal credentials to access demo accounts. Snowflake says demo accounts are not connected to its production or corporate systems.

What baffles me is this advisory statement from Snowflake:

We are also developing a plan to require our customers to implement advanced security controls, like multi-factor authentication (MFA) or network policies, especially for privileged Snowflake customer accounts.

At this point, it’s time to say MFA should have been mandatory, not a customer choice. It is not just the first step to becoming NIS2 compliant. Given the sophistication of modern day cyberattacks and the cyber-arsenal available at an attacker’s fingertips, reliance on user-chosen passwords as a reliable form of defense must end.

It’s even debatable if every form of MFA is sufficient to protect important accounts like these. As we have seen, modern phishing kits are quite capable of intercepting and using some types of second factors, such as codes sent by SMS or generated by apps. Capturing a code entered by a user is just as easy as capturing a password entered by a user.

If your targets are important enough, cybercriminals can afford to invest in tools, methodology, and invested time. To date, Mandiant and Snowflake have notified approximately 165 potentially exposed organizations.