Recent data breaches expose vulnerabilities in cloud security. Learn how to protect your data with multi-factor authentication, password rotation, and more.
Last week, the notorious hacker gang ShinyHunters sent shockwaves across the globe by allegedly plundering 1.3 terabytes of data from 560 million users. With a price tag of $500,000, this colossal breach could expose the personal information of a massive swath of a live event company’s clientele, igniting a firestorm of concern and outrage.
Let’s review the facts: two large organizations announced that they suffered a data breach, identifying unauthorized activity within a third-party cloud database environment. The accessed business records contained critical information on some employees, customers, and other key business data.
The cloud connection
What might link these two breaches is the cloud data company Snowflake, which counts among its users in both organizations. Snowflake did publish a warning with CISA, indicating a “recent increase in cyber threat activity targeting customer accounts on its cloud data platform.” Snowflake recommended that users query the database logs for unusual activity and conduct further analysis to prevent unauthorized user access.
In a separate communique, Snowflake CISO Brad Jones clearly stated that the Snowflake system was not breached. According to Jones, “This appears to be a targeted campaign directed at users with single-factor authentication,” threat actors have previously leveraged credentials obtained through various methods.
Snowflake also listed some recommendations for all customers, like enforcing multi-factor authentication (MFA) on all accounts, setting up network policy rules to allow access to the cloud environment only from pre-set trusted locations, and resetting and rotating Snowflake credentials.
Simplifying cybersecurity
We tend to romanticize cybersecurity – an incredibly difficult and complex discipline in IT. However, not all cybersecurity challenges are equally hard. The guidance offered by Snowflake makes this point: MFA is a must. It is an incredibly effective tool against various cyberattacks, including credential stuffing.
Research done by the cloud security company Mitiga claims the Snowflake incidents are part of a campaign in which a threat actor uses stolen customer credentials to target organizations using Snowflake databases. According to the published research, “the threat actor primarily exploited environments lacking two-factor authentication,” the attacks typically originated from commercial VPN IPs.
Also Read: Lower Fees, Higher Scalability: How LAOS Network Disrupts Digital Asset Tokenization
Policies are only as effective as their implementation and enforcement. Technologies like corporate single sign-on (SSO) and MFA might be in place but not truly enforced across all environments and users. There should be no possibility that users can still authenticate using a username/password outside of SSO to reach any corporate resource. The same is true for MFA: instead of self-enrollment, it should be mandatory for all users across all systems and all environments, including cloud and third-party services.
Are you in full control?
As the old saying goes, there is no cloud – it’s just someone else’s computer. And while you (and your organization) enjoy a lot of access to that computer’s resources, ultimately, that access is never complete, a limitation inherent to cloud computing. Multi-tenant cloud technologies achieve economies of scale by limiting what a single customer can do on that “computer,” which sometimes includes the ability to implement security.
A case in point is automatic password rotation. Modern privileged access management tools like One Identity Safeguard can rotate out passwords after use. This effectively makes them single-use and immunizes the environment against credential stuffing attacks and more sophisticated threats like keyloggers used in the LastPass hack. However, the API that provides this feature needs to be present. Snowflake does provide the interface to update user passwords, so it was on the customer to use it and rotate passwords in a usage-based or time-based manner.
When choosing where to host business-critical data, ensure the platform offers these APIs through privileged identity management. It allows you to bring the new environment under your corporate security umbrella. MFA, SSO, password rotation, and centralized logging should all be fundamental requirements in this threat landscape, as these features allow the customer to protect the data on their end.
The non-human identity
One unique aspect of modern technology is the use of non-human identity as a threat vector. For example, RPA (robotic process automation) tools and service accounts are trusted to perform some tasks on the database. Protecting these identities is an interesting challenge, as out-of-band mechanisms like push notifications or TOTP tokens are not feasible for service account use cases.
Non-human accounts are valuable targets for attackers as they usually have powerful permissions to perform their tasks. Security teams should always prioritize protecting their credentials. Snowflake uses many service accounts to operate the solution and developed a series of blog posts on protecting these accounts and their credentials.
Also Read: Sudhakar Ramakrishna on Innovation, Adaptation, and Future Vision
It’s all about the cost
Cybercriminals’ logic is brutally simple: maximize profit by automating mass attacks and targeting large pools of victims with simple but effective methods. Credential stuffing attacks, like the type used against Snowflake tenants, are one of the cheapest attack methods—the 2024 equivalent of email spam. And in line with its low cost, they should be almost 100% ineffective. The fact that at least two major organizations lost a significant amount of critical data paints a bleak picture of our current state of global cybersecurity.
Conclusion
By implementing simple controls like SSO, MFA, and password rotation, the cost of large-scale attacks becomes prohibitive. While this doesn’t mean targeted attacks won’t succeed or attacks by non-profit advanced persistent threats (APTs) will be completely deterred, it does make mass attacks on this attack vector unfeasible, making everyone a bit safer.
