It is possible that the ShinyHunter hackers did not directly hack the EPAM worker and simply gained access to Snowflake accounts using usernames and passwords they obtained from old repositories of credentials stolen by information thieves. But, as Reddington points out, this means that anyone else can examine those repositories for these and other credentials stolen from EPAM accounts. Reddington says they found data online that was used by nine different data thieves to collect data from EPAM workers’ machines. This raises potential concerns about the security of data belonging to other EPAM customers.
EPAM has customers in a variety of critical industries, including banking and other financial services, healthcare, transmission networks, pharmaceuticals, energy and other utilities, insurance, and software and high technology; the latter clients include Microsoft, Google, Adobe and Amazon Web. Services. However, it is unclear if any of these companies have Snowflake accounts that EPAM workers have access to. WIRED was also unable to confirm whether Ticketmaster, Santander, Lending Tree or Advance AutoParts are EPAM customers.
The Snowflake campaign also highlights the growing security risks from third-party companies in general and data thieves. In its blog post this week, Mandiant suggested that several contractors were breached to gain access to Snowflake accounts, noting that the contractors, often known as business process outsourcing (BPO) companies, are a mine of Potential gold for hackers, because compromising the machine of a contractor who has access to multiple client accounts can give them direct access to many client accounts.
“Contractors that customers hire to help them use Snowflake may use personal and/or unmonitored laptops that exacerbate this initial entry vector,” Mandiant wrote in its blog post. “These devices, which are often used to access the systems of multiple organizations, present a significant risk. “If compromised by data-stealing malware, a single contractor’s laptop can facilitate access by threat actors in multiple organizations, often with administrator- and IT-level privileges.”
The company also highlighted the growing risk from data thieves, noting that most of the credentials hackers used in the Snowflake campaign came from data repositories previously stolen by various data thieves campaigns, some of which dated back to to 2020. “Mandiant identified hundreds of Snowflake customer credentials exposed through data thieves since 2020,” the company said.
This, accompanied by the fact that the targeted Snowflake accounts did not use MFA to further protect them, made the breaches in this campaign possible, Mandiant notes.
Snowflake CISO Brad Jones recognized last week that the lack of multi-factor authentication allowed the breaches. In a phone call this week, Jones told WIRED that Snowflake is working to give its customers the ability to require users of their accounts to employ multi-factor authentication in the future, “and then we’ll look in the future to (do) authentication default”. Ministry of Foreign Affairs,” she states.
