A new report released today by Cisco Talos is warning of the implications of the recent Snowflake Inc.-related cloud data platform breach and how the comprised accounts highlight the vulnerabilities inherent in cloud environments.

The Snowflake breach involved attackers using stolen login credentials to infiltrate customer accounts. The credentials were not protected by multifactor authentication, allowing the attackers to steal sensitive information. However, Cisco Talos makes the argument that the incident is not just about Snowflake but indicates a broader shift in cyberthreats, focusing on identity and compromised credentials.

The criminal threat landscape has transformed rapidly, going from fragmented groups of hackers seeking credit card numbers and sending spam, to today, when sophisticated syndicates make billions through ransomware and data extortion. As the Cisco Talos researchers note, the money being brought in through ransomware and data extortion has seen every “trying to grab a piece of the pie.”

The key to gaining access in many recent attacks has been the use of infostealers, which were at the core of how hackers gained access to Snowflake customer accounts. That’s a notable shift in focus by hackers to compromised, legitimate credentials.

None of that is particularly new, but where the report gets interesting is that the researchers note that many defenders think the infostealers landscape is a monolith with individual actors compromising victims and gathering credentials, but the truth is these are highly organized, widely distributed campaigns.

The report details how groups have congregated online in Telegram chat rooms where credentials are sold by the thousands or tens of thousands. The threat actors operate large-scale campaigns, gathering, vetting and organizing the credentials they harvest before selling them to the highest bidder. The ecosystem includes tooling for searching and extracting specific types of data from the logs and validating the credentials before offering.

As part of its research, Cisco Talos has sat in the channels being used by attackers and has observed thousands of personal credentials for services provided by companies such as Google LLC, Facebook and Netflix Inc. posted for free as a teaser to the more significant services on offer.

For a fee, actors can gain timed access to a repository of credentials to search and use freely. The cost to access these tools varies, but it’s noted that considering a compromised set of enterprise credentials could result in a multimillion-dollar ransom, it’s not a big price to pay.

To mitigate risks similar to those highlighted by the Snowflake breach, the researchers recommended that organizations adopt proactive security measures, including comprehensive multifactor authentication across all critical data repositories. Regular audits should be conducted to ensure that all external data houses support MFA and have proper configurations and logging capabilities.

In the event that an infostealer infection is detected, swift action is crucial and defenders must assume that all credentials on the affected system are compromised. Organizations must act quickly to reset passwords and ensure that compromised credentials cannot be used to access critical data.

In addition, the report recommends that organizations must do more to secure passwords, such as providing users with trusted mechanisms for storing passwords securely rather than relying on web browsers. Enhancing visibility and monitoring for non-MFA protected accounts is also noted as being critical. Organizations are advised to apply increased scrutiny to these accounts and promptly investigate any security alerts generated from them.

Image: SiliconANGLE/Dall-E 3