Yeah, I came across this report while writing this blog. This is the initial version shared by the threat actor and it’s disputed. Following this, Snowflake hired CrowdStrike and Mandiant for an independent assessment. They discovered that ALL the breached customers lacked MFA. According to Mandiant statement: "Mandiant's investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake's enterprise environment. Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials".
Thanks Rohit for the clarity. If this is the case were all these companies that were breached reusing the same credentials from different accounts on snowflake accounts too? How else would the infostealer malware discovered creds be used in Snowflake instances? Additionally it seems that these companies had lax end point detection and protection controls in place allows users to download malware and run them without detection? Failure on multiple levels for 165 to 400 companies is shocking right?
You bring up great points, thank you! IMO, it need not necessarily be a credential reuse scenario. For ex, apart from stealing creds from browser or system apps, infostealers can also record keystrokes and steal credentials when they are entered in particular sites. So, after infecting the endpoint, the infostealer malware can specifically monitor for credentials entered into say snowflake site and exfil them. This could be a possible explanation (although I don't have enough details to confirm).
Regarding failure of EDR software, you're right. It's very wide. One other interesting insight here is that majority of those initially compromised endpoints belong to contractors/vendors. Lack of sufficient enforcement controls on vendors laptops (and visibility into them) also contributed to this widespread attack.
Really concise report. Simple and easily articulated.
Rohit - A 3rd Snowflake breach AT&T after Ticketmaster ad Santander - https://uk.pcmag.com/security/153255/att-nearly-all-customer-phone-text-records-leaked-one-arrest-made
Wow, this is big considering that it impacts nearly all the customers. Just when we thought it's over, its back.
Remember initially there was 400 companies reported which fell to 165 of which only 3 have been disclosed. Rest might be coming out slowly.
Based on this article it seems a Belarusian contractor was breached which lead to the company accounts being breached rather than the threat actor breaching these companies individually https://www.wired.com/story/epam-snowflake-ticketmaster-breach-shinyhunters/
Also initial publications mentioned 400 customer accounts affected but now it seems to have fallen to 165.
Yeah, I came across this report while writing this blog. This is the initial version shared by the threat actor and it’s disputed. Following this, Snowflake hired CrowdStrike and Mandiant for an independent assessment. They discovered that ALL the breached customers lacked MFA. According to Mandiant statement: "Mandiant's investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake's enterprise environment. Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials".
https://duo.com/decipher/mandiant-165-snowflake-customers-potentially-exposed-in-wider-campaign
Thanks Rohit for the clarity. If this is the case were all these companies that were breached reusing the same credentials from different accounts on snowflake accounts too? How else would the infostealer malware discovered creds be used in Snowflake instances? Additionally it seems that these companies had lax end point detection and protection controls in place allows users to download malware and run them without detection? Failure on multiple levels for 165 to 400 companies is shocking right?
You bring up great points, thank you! IMO, it need not necessarily be a credential reuse scenario. For ex, apart from stealing creds from browser or system apps, infostealers can also record keystrokes and steal credentials when they are entered in particular sites. So, after infecting the endpoint, the infostealer malware can specifically monitor for credentials entered into say snowflake site and exfil them. This could be a possible explanation (although I don't have enough details to confirm).
Regarding failure of EDR software, you're right. It's very wide. One other interesting insight here is that majority of those initially compromised endpoints belong to contractors/vendors. Lack of sufficient enforcement controls on vendors laptops (and visibility into them) also contributed to this widespread attack.
Thanks Rohit I've learnt a lot in our short interaction. Thank you
You're welcome and I enjoyed this chat too. Thanks for sharing your thoughts!