A recent post by Cisco Talos Intelligence considers the many implications and follow-on attacks originating from leaked and/or stolen credentials for the Snowflake cloud data platform and reminds us that this is indicative of a much larger issue. Talos points out that the Snowflake incident isn’t an outlier but is just another incident in the long line of identity access and credential theft incidents.
What happened? Adversaries obtained stolen login credentials for Snowflake accounts acquired via information-stealing malware and used those credentials — which were not protected by multi-factor authentication (MFA) — to infiltrate Snowflake customers’ accounts and steal sensitive information. At this time, it is believed that over 165 organizations may have been impacted.
What's the larger problem? Infostealers have become a significant threat, and credentials siphoned by infostealers are often used for ransomware attacks, data extortion, and business email compromise (BEC). We’re also observing a shift of cyber criminals increasingly focusing on data exfiltration rather than encryption, presumably as organizations have improved their ransomware response capabilities. As such, MFA has become crucial in protecting against these threats, unfortunately MFA implementation is often inconsistent. Talos emphasizes the need to protect data with MFA, not just assets, especially as more organizations rely on cloud and SaaS platforms.
To defend against infostealers, Talos' recommendations are “in fact… quite familiar”:
- Implement MFA for all critical data storage
- Conduct audits of external data houses
- Respond urgently to infostealer infections
- Provide vetted password storage solutions for users
- Limit access and increase scrutiny for accounts without MFA
For more, check out Snowflake isn’t an outlier, it’s the canary in the coal mine at Talos Intelligence.
Additional resources on the Snowflake activity: