It’s imaginable the ShinyHunter hackers did not straight hack the EPAM worker, and simply gained entree to the Snowflake accounts utilizing usernames and passwords they obtained from aged repositories of credentials stolen by info stealers. But, arsenic Reddington points out, this means that anyone other tin sift done those repositories for these and different credentials stolen from EPAM accounts. Reddington says they recovered information online that was utilized by 9 antithetic infostealers to harvest information from the machines of EPAM workers. This raises imaginable concerns astir the information of information belonging to different EPAM customers.
EPAM has customers crossed assorted captious industries, including banks and different fiscal services, wellness care, broadcast networks, pharmaceutical, vigor and different utilities, insurance, and bundle and hi-tech—the second customers see Microsoft, Google, Adobe, and Amazon Web Services. It’s not clear, however, if immoderate of these companies person Snowflake accounts to which EPAM workers person access. WIRED besides wasn’t capable to corroborate whether Ticketmaster, Santander, Lending Tree, oregon Advance AutoParts are EPAM customers.
The Snowflake run besides highlights the increasing information risks from third-party companies successful wide and from infostealers. In its blog station this week, Mandiant suggested that aggregate contractors were breached to summation entree to Snowflake accounts, noting that contractors—often known arsenic concern process outsourcing (BPO) companies—are a imaginable golden excavation for hackers, due to the fact that compromising the instrumentality of a contractor that has entree to the accounts of aggregate customers tin springiness them nonstop entree to galore lawsuit accounts.
“Contractors that customers prosecute to assistance with their usage of Snowflake whitethorn utilize idiosyncratic and/or non-monitored laptops that exacerbate this archetypal introduction vector,” wrote Mandiant successful its blog post. “These devices, often utilized to entree the systems of aggregate organizations, contiguous a important risk. If compromised by infostealer malware, a azygous contractor's laptop tin facilitate menace histrion entree crossed aggregate organizations, often with IT and administrator-level privileges.”
The institution besides highlighted the increasing hazard from infostealers, noting that the bulk of the credentials the hackers utilized successful the Snowflake run came from repositories of information antecedently stolen by assorted infostealer campaigns, immoderate of which dated arsenic acold backmost arsenic 2020. “Mandiant identified hundreds of lawsuit Snowflake credentials exposed via infostealers since 2020,” the institution noted.
This, accompanied by the information that the targeted Snowflake accounts didn’t usage MFA to further support them, made the breaches successful this run possible, Mandiant notes.
Snowflake’s CISO, Brad Jones, acknowledged past week that the deficiency of multifactor authentication enabled the breaches. In a telephone telephone this week, Jones told WIRED that Snowflake is moving connected giving its customers the quality to mandate that users of their accounts employment multifactor authentication going forward, “and past we’ll beryllium looking successful the aboriginal to [make the] default MFA,” helium says.