A group of cybercriminals known as UNC5537 has been on a tear.
Over the past month, the ransomware gang, likely linked to ShinyHunters or Scattered Spider, stole more than 560 million customer records from Ticketmaster and posted them for sale on the reconfigured leak site, BreachForums, on May 28, asking for $500,000. Two days later, the group claimed to have stolen account records worth $30 million from Spain-based Santander Bank, and demanded a cool $2 million. Both companies He admitted violations after the posts.
The data leak — and at least 163 other breaches — appeared to be caused not by a security vulnerability, but by the use of stolen credentials and weak controls over multi-factor authentication (MFA), according to a June 10 analysis by incident response firm Mandiant. from Google.
“The Mandiant investigation found no evidence to suggest that unauthorized access to Snowflake customer accounts arose from a breach of Snowflake’s enterprise environment.” Mandiant mentioned in his analysis. “Instead, every incident Mandiant responded to related to this campaign was traced back to compromised customer credentials.”
While the theft of data from Snowflake's systems could have been prevented by MFA, the companies' failures go beyond a lack of that individual control. Companies using cloud services need to ensure they have a clear view of their attack surfaces, quickly removing the accounts of former employees and contractors and minimizing the ways in which opportunistic attackers can compromise systems, networks or services, says Chris Morgan, senior cyber threats officer. Intelligence Analyst at cloud native security platform provider ReliaQuest.
“The biggest lesson learned is that threat actors don't need to use sophisticated technologies,” he says. “Targeting low-hanging fruit — in this case, insecure credentials — can be accomplished with little effort on the threat side but presents significant opportunities.”
Here are five lessons from the latest wave of cloud breaches.
1. Start with MFA and move further
There is a lot of room for growth in adopting a multi-financing approach. While 64% of employees and 90% of administrators used the MFA method, according to A report issued a year agomore than six in 10 organizations have at least one root or administrator user without MFA enabled on the account, according to “2024 State of the Cloud Report” by Orca Security.
Companies need to reach 100% consistent, verifiable data, says Ofer Maor, co-founder and chief technology officer at cloud security company Mitiga.
He says companies should “make sure MFA is enforced and necessary, and if you're using single sign-on, make sure you disable logging in without single sign-on.” “Go beyond traditional multi-factor authentication (MFA) and turn on additional security measures, such as device-based (or hardware) authentication for sensitive infrastructure.”
2. Use access control lists to limit approved IP addresses
Organizations should also put access control lists (ACLs) in place, limiting users' access to the cloud service or at least enabling access logs to be reviewed daily to detect any anomalies.
This also limits the ability of cyber attackers, says Jake Williams, faculty analyst and cybersecurity practitioner at analyst firm IANS Research.
“In fact, for almost any cloud infrastructure…it's a best practice to restrict the IP addresses that people can get,” he says. “If you can't, accessing reviews is even more important to make sure people aren't coming from a place you don't expect.”
3. Maximize visibility into cloud services
Businesses also need a useful way to continuously monitor applications. Data logging, access activity, and services that aggregate data sources into a complete picture can help companies detect and prevent attacks, like the one experienced by Snowflake.
In addition, organizations need to be able to alert on specific behavior or detect threats — an approach that would otherwise detect attempts by cybercriminals to access their cloud data, says Brian Sobey, CTO and co-founder of AppOmni, a company. Software A-Company Security Posture Management Service.
“Although security operations teams are spread thin and generally don't have the opportunity to develop deep expertise in the different applications their companies use, their security tools and platforms should have identified these issues quickly,” he says. “In this scenario, there were definitely anomalous logins from unusual locations and highly questionable attacker applications connecting to customers' Snowflake instances.”
4. Don't rely on your cloud providers' default settings
While cloud providers like to emphasize that security is a shared responsibility model, unless an attacker compromises the cloud provider's infrastructure or software – as in Last year's vulnerabilities in Progress Software's MoveIT Cloud service and MoveIT Transfer software —The responsibility always lies with the customer.
However, cloud providers often prioritize usability over security, so companies should not rely on providers' default settings to be secure. Mitiga's Mawer says there was a lot Snowflake, for example, could have done to make MFA easier to manage, including turning security control on by default.
“What enables this attack to succeed, at this scale, is that the default setup for Snowflake accounts does not require MFA, which means that once you have a compromised username and password, you can get full access immediately,” he says. “Typically, highly sensitive platforms require users to enable MFA. Snowflake not only requires MFA but makes it very difficult for administrators to enforce it.”
5. Check your third parties
Finally, companies should also note that — even if they're not using Snowflake or another cloud service — a third-party provider may be using the service on their back end, putting their data at risk, says IANS Research's Williams.
“Your data may be in Snowflake, even if you're not using it,” he says. “These are the complexities of today’s supply chains… You provide your data to a third-party service provider, who then puts it into Snowflake and may or may not be using best practices.”
Williams says organizations should communicate with all providers that have access to their data and ensure they take appropriate steps to protect that information.
