Hackers steal login credentials leading to ransom demands up to 5 million USD
On June 2, Snowflake reported a targeted cyberattack. Mandiant, a cybersecurity firm, discovered that the hacker group UNC5537 exploited stolen customer credentials to access the accounts of up to 165 Snowflake customers. The attackers then demanded ransom payments ranging from $300,000 to $5 million from 5-10 of these customers.
Attackers apply pressure with psychological warfare
The breach was facilitated through the exploitation of single-factor authentication vulnerabilities. This allowed the attackers to gain unauthorized access and steal data. According to Mandiant, the attackers primarily acquired stolen login credentials from various infostealer malware campaigns. Variants include VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER, for example.
In several Snowflake-related investigations, Mandiant found that the initial compromise of infostealer malware often occurred on contractor systems. These contractor systems were used for both work and personal activities. This included systems used for gaming and downloading pirated software.
To escalate their tactics, the attackers issued death threats to security analysts. They used psychological tactics such as creating fake derogatory pictures with AI to intimidate cybersecurity professionals.
The stolen data has been auctioned on illegal online forums to pressure target companies into paying ransoms.
Financially motivated criminals and financially penalized victims of the breach
Money is often the driving force behind cyber attacks like the one targeting Snowflake’s customers. For the victims, the financial and reputational implications can be severe. Companies involved may face regulatory scrutiny and fines depending on the nature of the stolen data and their compliance with data protection laws. Other repercussions such as lost trust and reputational damage can be difficult to measure – and repair.
In the aftermath of Snowflake breach, AT&T got breached, which according to their spokesperson was a consequence of stolen customer data in the data breach involving Snowflake’s customers. This highlights the interconnectedness of cloud ecosystems, where ripple effects can have wide-spread damage.
AT&T reported that cyber attackers breached an AT&T workspace hosted on a third-party cloud platform in April, downloading files that included records of customer calls and text interactions from May 1 to October 31, 2022, and on January 2, 2023. The breach affected data of nearly all AT&T customers.
What does Snowflake breach mean for Salesforce security?
The Snowflake breach highlights the shared responsibility paradigm in cloud security, where both the service provider and the clients have roles in securing their environments. In the Snowflake incident, it was not the platform that was vulnerable. The cyber risks stemmed from the customer environments.
In dynamic ecosystems like Salesforce, you can’t control your users completely. Especially the external ones. For example, in Snowflake incident, the infostealer campaigns initially occurred on contractor systems. Similarly on Salesforce, your platform is exposed to threats spreading from your supply chain of partners and customers. Even if your own organization’s security controls would be solid, these external users’ security measures are beyond your control. Thus, protecting your environment from supply chain threats is vital.
It’s also worth noting that both infostealer malware threats and your users falling for phishing sites can lead to credential theft. Luckily, both risks are preventable with the right tools.
Following the Snowflake incident, we urge all Salesforce users to enable MFA and maintain robust credential hygiene. To reduce cloud security risks on Salesforce, organizations should improve threat defenses right on the cloud platform, and enforce strict access controls.
For more Salesforce security recommendations, download our free guide:
Stop advanced threats on Salesforce instantly
If external users can access your Salesforce and they can exchange files and URLs through any Salesforce functionalities, you have a security gap. Cyber criminals can deliver malware and links to phishing sites through your Salesforce. This can lead to launching similar credential theft campaigns as the one Snowflake suffered.
Fortunately for the defenders, mitigating the risk of advanced cyber threats on Salesforce is easy with native security solutions like WithSecure™ Cloud Protection for Salesforce. WithSecure™ Cloud Protection for Salesforce counters threats involved in the Snowflake incident. For example, it blocks both infostealer malware and URLs that lead to phishing sites that trick users into exposing their login credentials.
Designed for complex and vast Salesforce environments, the solution gives you real-time protection and instant visibility into your entire environment. There’s no impact on your customizations and workflows. The highly certified solution meets the strict compliance requirements of modern enterprises and critical public sector organizations. Get to know the product here, or contact our team to discuss your Salesforce security requirements through the form below.
BOOK A DEMO
Secure your Salesforce today
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Fill the form and get:
Free 15-day trial
Personalized Salesforce security risk assessment report
Demo and a solution consultation
Support from our experts with setup and configurations