Storage vendor Pure Storage has named itself the latest company affected by the extraordinary series of cyberattacks affecting customers of data warehousing company Snowflake.
The Snowflake attacks are, collectively, already one of the biggest cyber-incidents of the year and as the victim list expands could turn into one of the most significant of the decade .
Pure Storage, known for its proprietary DirectFlash technology, has sought to downplay what happened, describing how a third party had gained temporary access to a single data analytics workspace containing telemetry used for customer support.
That exposed company names, LDAP usernames, email addresses, and the version number of the company’s Purity software but no “compromising information such as passwords for array access, or any of the data that is stored on the customer systems,” a statement said.
The company said it was monitoring its infrastructure for unusual activity and had seen no evidence of any further attacks on itself or its large customer base. It didn’t reveal the security weakness that caused the breach.
Unfolding cyberattack
Several issues revealed by the Snowflake-related incidents will be worrying experts: the long timescale over which some elements of it seem to have occurred, the scale of any subsequent data breaches, and the underlying security weaknesses that made it possible.
The Snowflake incident has already been connected to data breaches at Spanish bank Santander and ticketing giant Ticketmaster, plus a long list of other well-known companies originally named in a May report by cyber-intelligence company Hudson Rock (since removed after legal pressure from Snowflake).
On 10 June, reports by Google’s Mandiant and CrowdStrike linked the attacks to a threat actor identified as UNC5537 which they said was compromising Snowflake accounts using customer credentials acquired from cybercrime forums.
In other words, the group gained access using compromised credentials rather than a weakness in the Snowflake platform itself. Data theft was being used to extort Snowflake customers, of which 165 had been notified of possible exposure, Mandiant said.
Single factor’s last stand?
According to Mandiant, most of the credentials used to break into accounts were acquired by Infostealers, a long-established type of malware which infects computers to silently steal data including passwords.
Alarmingly, in the case of Snowflake credentials some of this dated back four years. If attackers are still able to use these, this indicates that they haven’t been rotated. Credentials can be brute forced and even competently secured ones can be phished, but failing to rotate important credentials is a symptom of outright neglect.
This might have happened because the IT team didn’t know they existed. Created by developers on the hoof, they remained invisible and the access they provided was forgotten.
MFA not mandated
Another issue raised by the Snowflake attacks is that many credentials were apparently not protected by multi-factor authentication (MFA). On June 7, after the attacks had come to light, Snowflake said it now planned to make this setting mandatory for customers:
“While we do so, we are continuing to strongly engage with our customers to help guide them to enable MFA and other security controls as a critical step in protecting their business,” the company said.
Given that MFA is now widely seen as a necessary protection for any privileged account, what’s less clear is why so many customers aren’t using it.
CSOonline.com asked security experts for their views, and all mentioned the same issue: that MFA was seen as inconvenient, even by developers and IT professionals.
“Unfortunately, IT departments receive pushback from users when it comes to using two-factor authentication. Users do not like using MFA, as it adds another step to the authorization process,” said Chris Hauk of privacy organization Pixel Privacy.
“This is despite MFA adding a minuscule bit of extra time to the login process. Management needs to back IT in cases like this. More authentication steps generally mean less breaches like this. Sadly, users do not enjoy change and will always pushback.”
MFA improves security but it also increases complexity because users have to be enrolled and managed, and the technology is never cheap to implement.
Compounding this was the issue of shadow IT. Developers sign up for cloud accounts without telling the IT team which means that MFA policies, if they exist, are never applied.
Service providers could solve this by mandating MFA but are reluctant to because they too think they’ll get pushback from customers.
If Snowflake tells us anything it’s that the gradualist approach to MFA security is obsolete. MFA is not a panacea but its universal application on cloud services would surely reduce the likelihood of mass data breaches by careless account holders.