Keeping Up with the Credentials: The Evolving Landscape of Ransomware in 2024

Home » Blog » Keeping Up with the Credentials: The Evolving Landscape of Ransomware in 2024

The first half of 2024 has seen some of the largest breaches in recent years. Their common denominator? Compromised credentials and lack of MFA. The most prominent breach to date is the Snowflake breach, which has continuously affected some major organizations since May. In this article, we’ll focus on some of the hardest hit organizations, and round up with a different – though just as preventable – breach.

One of the most notable breaches of 2024 so far is the breach that targeted cloud storage platform, Snowflake. In fact, the target here wasn’t Snowflake itself, but rather Snowflake’s customers, including AT&T, Ticketmaster, Santander Bank and Neiman Marcus, among others.

As reported by several cyber news outlets, this was a textbook supply chain attack. Attackers gained access to Snowflake’s customers via a compromised machine, possibly through phishing emails and malicious attachments. It is estimated that more than 500 credentials were discovered this way and put up for sale on the dark web, including usernames, passwords, and URLs of the Snowflake environments associated with those credentials.

According to Wired, in some cases, the attackers used a compromised machine of a Snowflake employee or contractor as their initial point of entry. In other cases, however, the credentials used by these individuals were stolen and sold as early as 2020 and were still valid in 2024.

Snowflake’s Investigation Findings

The investigation conducted by Snowflake and Mandiant found that at least 79.7% of the accounts used by the attackers had been compromised years prior to the current attack and that their passwords were never changed or rotated. The investigation also confirmed that hundreds of credentials of Snowflake customers have been exposed since 2020 and that the impacted instances did not have access policies in place to only allow access from trusted locations.

The investigation also found that the attackers obtained credentials and used them to access demo accounts of a former Snowflake employee. “This appears to be a targeted campaign directed at users with single-factor authentication”, confirmed Brad Jones, Snowflake’s CISO, in a statement issued by Snowflake. “It did not contain sensitive data”.

Jones further claimed that the “access was possible because the demo account was not behind Okta or MFA”, and that “demo accounts are not connected to Snowflake’s production or corporate systems”. He also announced that Snowflake is “developing a plan to require our customers to implement advanced security controls, like MFA or network policies, especially for privileged Snowflake customer accounts.

AT&T: Flake It till You Make It

Approximately 110 million AT&T customers’ phone numbers and call records were obtained through an AT&T Snowflake account. This information included the number of calls and texts customers made, to which destination, and the duration of each call. This means that the data also included information on non-AT&T customers who were on the other end of the call or text. The data were not leaked or made public, and according to some reports this was because AT&T allegedly paid $370,000 in ransom after negotiating with the attacker.

It’s been a rough year for AT&T. Only four months before the Snowflake breach, a database of more than 70 million AT&T customers was leaked online, revealing names, addresses, phone numbers, social security numbers, and birth dates. According to reports, the database was stolen in 2021 and held by the attacker mostly intact until March of this year when it was released in its entirety.

Ticketmaster: Another Flake in the Blizzard

In May, data on 560 million Ticketmaster users were reported to have been stolen. In July, the company sent emails to its customers notifying that an unauthorized user obtained information “from an isolated cloud database hosted by a third-party data services provider”, and that the information “may have included your name, basic contact information, and payment card information such as encrypted credit or debit card numbers and expiration dates”. The BBC reported that it had asked Ticketmaster why it took so long to notify its customers, but did not receive a response.

Change Healthcare (UnitedHealth Group): A Lesson in Identity Hygiene

In February, a ransomware attack on Change Healthcare resulted in the theft of 4TB of sensitive data of up to 1 in 3 Americans, as well as widespread outages at hospitals, pharmacies, and healthcare practices throughout the United States.

Although UnitedHealth Group (UHG) paid ALPHV/Blackcat, the ransomware group who claimed responsibility for the attack, a ransom of $22 million to ensure the data would be deleted, the group allegedly passed the stolen data to another group, RansomHub, who demanded another ransom.

As part of his testimony before the House Energy and Commerce Committee, UHG CEO Andrew Witty confirmed that the attackers accessed the network through a server that didn’t have MFA. The attackers either purchased credentials on the dark web or used brute force to gain initial access. Either way, MFA would have stopped them. Once they gained access to the network, they moved laterally from one machine to the other – and we all know how that ended.


Mitigation Best Practices

There are certain precautions organizations can take to mitigate and contain such breaches, namely ITDR (Identity Threat Detection and Response) and ISPM (Identity Security Posture Management). Gady Svahjman, Global Threat Hunting Lead at Silverfort, offers some expert advice:

Detection

  • The attackers have probably used the stolen credentials in different ways to the  actual legitimate user; for example, at different times, source geolocations, and source/target machines.
  • If detections and security attributes for abnormal authentications had been implemented, the breaches could have been detected and an alert could have been triggered.
  • Accounts that have been unused for a long period of time but whose credentials are suddenly authenticating, or accounts with passwords that do not expire should have also raised a red flag. Proper risk indicators and access policies would trigger an alert in such cases.

Prevention

  • Detection alone isn’t enough, and organizations shouldn’t rely exclusively on alerts. Reviewing thousands of alerts every day is not sustainable, and retrospective detection is not sufficient.
  • Access policies could have denied access based on behavioral and pattern analysis.
  • Lack of MFA was a crucial factor in allowing the attackers to gain access to these Snowflake instances and Change Healthcare network.
  • By requiring more than one factor to authenticate, strong MFA controls could have stopped the attackers. Their legitimate user credentials weren’t enough, as they would have had to deal with an extra layer of security.

Response

  • Raising Walls: To contain the attack and freeze the situation once it’s discovered, the first security principle you should implement is creating policies to deny any access that is not necessary to critical business operations.
  • Containing compromised accounts and machines may involve either completely denying access to machines and accounts, or only partially; for example, by allowing only specified sources and destinations access to critical infrastructure.
  • When in doubt about whether a user account has been compromised or if the organization should allow that user to continue working, resetting that user’s password and enforcing a policy to allow operations with that account using MFA is another option instead of denying access.

Final Thoughts

It may be uncomfortable to admit, but these breaches could have been prevented, or at least the damages kept to a minimum. All that needed to be done was to update passwords, enable MFA, and set access policies. This may sound easy enough, but it’s actually not always so straightforward.

For example, organizations that contract with third parties and use accounts managed by these third parties have very limited ability to check the accounts’ permissions or even whether they are still alive and active.

From discovery to containment, identity security is a cycle. Coordination and unification are required, as well as a constant effort to stay on top of things. These breaches didn’t just expose credit card numbers, personal medical information and call records of millions of customers – they exposed how little we know about and are committed to identity security versus how critical it really is.

Stop Identity Threats Now