It’s attainable the ShinyHunter hackers didn’t instantly hack the EPAM employee, and easily gained entry to the Snowflake accounts utilizing usernames and passwords they obtained from outdated repositories of credentials stolen by data stealers. However, as Reddington factors out, which means anybody else can sift by way of these repositories for these and different credentials stolen from EPAM accounts. Reddington says they discovered information on-line that was utilized by 9 totally different infostealers to reap information from the machines of EPAM employees. This raises potential considerations concerning the safety of information belonging to different EPAM prospects.
EPAM has prospects throughout varied important industries, together with banks and different monetary companies, well being care, broadcast networks, pharmaceutical, power and different utilities, insurance coverage, and software program and hi-tech—the latter prospects embody Microsoft, Google, Adobe, and Amazon Net Companies. It’s not clear, nevertheless, if any of those firms have Snowflake accounts to which EPAM employees have entry. WIRED additionally wasn’t in a position to affirm whether or not Ticketmaster, Santander, Lending Tree, or Advance AutoParts are EPAM prospects.
The Snowflake marketing campaign additionally highlights the rising safety dangers from third-party firms generally and from infostealers. In its weblog submit this week, Mandiant instructed that a number of contractors had been breached to realize entry to Snowflake accounts, noting that contractors—usually often known as enterprise course of outsourcing (BPO) firms—are a possible gold mine for hackers, as a result of compromising the machine of a contractor that has entry to the accounts of a number of prospects can provide them direct entry to many buyer accounts.
“Contractors that prospects have interaction to help with their use of Snowflake might make the most of private and/or non-monitored laptops that exacerbate this preliminary entry vector,” wrote Mandiant in its weblog submit. “These gadgets, usually used to entry the programs of a number of organizations, current a major threat. If compromised by infostealer malware, a single contractor’s laptop computer can facilitate menace actor entry throughout a number of organizations, usually with IT and administrator-level privileges.”
The corporate additionally highlighted the rising threat from infostealers, noting that almost all of the credentials the hackers used within the Snowflake marketing campaign got here from repositories of information beforehand stolen by varied infostealer campaigns, a few of which dated way back to 2020. “Mandiant recognized lots of of buyer Snowflake credentials uncovered by way of infostealers since 2020,” the corporate famous.
This, accompanied by the truth that the focused Snowflake accounts didn’t use MFA to additional defend them, made the breaches on this marketing campaign attainable, Mandiant notes.
Snowflake’s CISO, Brad Jones, acknowledged last week that the dearth of multifactor authentication enabled the breaches. In a cellphone name this week, Jones informed WIRED that Snowflake is engaged on giving its prospects the power to mandate that customers of their accounts make use of multifactor authentication going ahead, “after which we’ll be wanting sooner or later to [make the] default MFA,” he says.
Replace 6/17/2024, 5:45 pm EDT: The article was up to date to make clear the main points that Santander has publicly revealed concerning the hack.