SnowBall effect of Snowflake Breach

Executive Summary

Snowflake an American cloud computing–based data cloud company, identified a breach in June 2024, which had far-reaching implications for various organisations. Attackers exploited stolen credentials from a Snowflake employee, enabling unauthorised access to sensitive customer data, including credentials and access tokens. This breach was exacerbated by bypassing Okta’s security measures, allowing the attackers to generate new session tokens and access extensive customer data without detection.

Key Affected Customers:

Attack Method

  • Credentials Theft: Initial access through compromised employee credentials
  • Bypass Mechanism: Circumvention of Okta Security Protocols
  • Exploitation: Generation of new session tokens to access databases and steal data

The Domino Effect

The Snowflake breach has created a domino effect, where the initial compromise has led to multiple subsequent breaches. This incident mirrors the earlier Okta breach,, where attackers leveraged stolen credentials to infiltrate various organizations.

Domino Effect of Snowflake Breach

Companies affected include:

  • Ticketmaster: Reported unauthorised access to sensitive data.
  • Advance Auto Parts: Experienced data theft, with stolen information now for sale on dark web marketplaces.
  • Santander Bank: Compromised customer data led to financial and reputational damage.
  • Hugging Face, Quote Wizard, Lending Tree: Also reported breaches, with more organizations likely to follow .

Inherent Weaknesses in Traditional IAM Solutions

Password + MFA Based Authentication:

  • Reliance on passwords makes systems vulnerable to phishing and credential theft.
  • Multi-Factor Authentication (MFA) is often ineffective as attackers can bypass Password + MFA protection mainly by phishing or using a compromised device.
  • Social Engineering attacks have shown that phishing resistant MFA like FIDO keys, & passkeys can prove to be ineffective & can be easily disabled or reset.

IAM Blind Spots:

Apart from reliance on vulnerable passwords for identifying user. The existing IAM solutions are blind to following risks

  • Connection Risk – Traditional IAM solutions lack visibility of user connections. They cannot know whether an authentication request is coming from an authorised actor or an attacker in the middle.
  • User’s Device Risk – They also do not account for the type & security posture of user’s devices, leaving systems exposed to malware and remote monitoring, as seen in the Uber incident.

Impact Assessment

The Snowflake breach is termed as the biggest data breach so far and it’s cascading effect has led to numerous organisations reporting security incidents & data breach. 

The amplification effect could potentially lead to a vast number of downstream breaches, escalating the overall impact.

Impact of Snowflake Breach
Credit: XQ

Towards a Secure Future

Challenges with Current Solutions:

  • Time and again Password + MFA based systems are proven to be ineffective against simple attacks like phishing & social engineering.
  • There is a pressing need for more robust authentication mechanisms.

Protect your Enterprise, #GoPasswordless with PureAUTH

FIDO Solutions like Passkeys and hardware tokens focus on giving users a passwordless experience keeping the passwords on the server as the primary way to identify and authenticate users.

PureAUTH Platform on the other hand provides a comprehensive passwordless approach, eliminating the passwords from server side & not just from user side. PureAUTH is the only solution that protects an organisation against phishing, social engineering, frauds & all types of credential-based attack.

To learn more about PureAUTH & how it protects your existing IAM systems like Okta, OneLogin, CISCO Duo, or Azure AD in just 60 minutes at Zero Cost – get in touch with us

Related Blogs

Okta Warns Customers of Credential Stuffing Attacks

Unpacking Okta’s Recent Security Breach

Dell Data Breach: 49M Customer Records Exposed

In a data breach that has caused anxiety about security and privacy, Dell, a technology hardware giant, has admitted to its occurrence having affected 49 million customer records. The unsecured API linked to a partner portal allowed hackers to swipe a huge amount of information about customers from Dell’s database.

Dell Data Breach Customer Records: Source Daily Dark Web
Dell customer data on Breach Forums
Source: Daily Dark Web

Methodology of the Breach

The hacker, known as Menelik, shared his methodology with TechCrunch .

“Believe me or not, I kept doing this for nearly 3 weeks and Dell did not notice anything. Nearly 50 Million requests…After I thought I got enough data, I sent multiple emails to Dell and notified the vulnerability. It took them nearly a week to patch it all up,” Menelik said.

Dell on the other hand, responded with “Let’s keep in mind, this threat actor is a criminal and we have notified law enforcement.”

  • Exploiting Partner Accounts: The threat actor created multiple “partner” firms known by different names for multiple accounts thereby leading in access to sensitive customer records.
  • Scraping Customer Data: They stole huge amounts of client data directly from Dell’s servers including personal particulars and purchase information.
  • Persistence and Volume: For nearly three weeks, the perpetrator launched an unyielding onslaught of appeals that led to almost 50 million records.
  • Reporting:  They emailed Dell on April 12th and 14th to report the bug to Dell security team
Dell Data Breach Customer Records: Email to Dell from Menelik
Email sent to Dell about partner portal flaw
Source: Menelik

“Prior to receiving the threat actor’s email, Dell was already aware of and investigating the incident, implementing our response procedures and taking containment steps. We have also engaged a third-party forensics firm to investigate.”

Stolen Data Details

The exposed data has customer order data, including warranty information, service tags, names, locations, customer numbers, and order numbers.

The hacker, Menelik says the stolen customer records include the following hardware breakdown:

  • Monitors: 22,406,133
  • Alienware Notebooks: 447,315
  • Chromebooks: 198,713
  • Inspiron Notebooks: 11,257,567
  • Inspiron Desktops: 1,731,767
  • Latitude Laptops: 4,130,510 
  • Optiplex: 5,177,626
  • Poweredge: 783,575
  • Precision Desktops: 798,018
  • Precision Notebooks: 486,244
  • Vostro Notebooks: 148,087
  • Vostro Desktops: 37,427
  • Xps Notebooks: 1,045,302
  • XPS/Alienware desktops: 399,695

Mitigation Efforts

Incident response protocols were deployed by Dell, containment strategies were employed, and external forensic experts were contracted to investigate and fix vulnerabilities.

Conclusion

Dell has advised customers to remain vigilant at all times by reporting any suspicious activities associated with their accounts or purchases as soon as possible.

Dell Email to Customers

The 49 million customer purchase data between 2017-2024 looks like the perfect phishing bait. Anyone posing as dell representative can trick users into clicking links and being set up for credential theft.

We need to prevent a phishing incident like those that rocked Okta, Dropbox and Lastpass. It becomes imperative to fortify your organization with robust authentication methods. Embracing passwordless authentication could be precisely the solution needed. After all, if you don’t possess traditional credentials, they can’t be stolen, can they?

Read Also

Massive Data Breach: 125 Million Records Exposed Due to Firebase Misconfiguration

Google 2FA Breach: Rethink Authentication Security

In today’s digital landscape, safeguarding our online presence is paramount. Two-factor authentication (2FA) has emerged as a crucial tool in this endeavour. Platforms like Google and Facebook offer 2FA to bolster account security. However, there have been multiple incidents revealing vulnerabilities in this system, prompting concerns among users.

The Case of the Bypassed 2FA

Recent reports unveiled breaches in Gmail and YouTube accounts despite 2FA activation. This revelation underscores a fundamental truth: security with passwords, along with 2FA or MFA is fallible. Hackers continuously adapt their tactics, exploiting weaknesses even in trusted systems like 2FA.

Credit : Forbes

Understanding the Bypass

While the exact method remains undisclosed, hackers may employ various strategies to circumvent 2FA. According to Forbes, It’s probable that these users fell prey to what’s known as a session cookie hijack attack. Typically initiated through a phishing email, hackers direct victims to a counterfeit login page. Upon entering their credentials, users are prompted to complete a simulated 2FA challenge, which they unwittingly comply with.

The Role of Vigilance

Despite these challenges, I would personally suggest moving away from systems that solely rely on 2FA for authentication. But in the extreme case where abandoning 2FA is not the solution, users must adopt additional measures to enhance their security posture.

Secure Alternative to 2FA/MFA

As we have seen numerous instance of 2FA & MFA getting by passed, enterprises need better methods to secure access to their resources. PureAUTH Secure IAM platform provides Zero Trust -Passwordless access and protects enterprises from following type of attacks

  1. Password Spraying & brute forcing attacks
  2. Credential Phishing, Push fatigue and Adversary in the middle attacks
  3. Public Key replacement attacks targeted at solutions using Public Key based authentication like FIDO keys
  4. Social Engineering attacks to reset user credentials and reset or disable MFA/2FA
  5. Abuse of shared credentials or leaked credentials and in general credential stuffing attacks

Elevating Security: Going Beyond 2FA

Security is an ongoing journey, requiring a multifaceted approach. While the challenges of bypassing 2FA are evident, there’s a growing trend towards passwordless authentication methods. Embracing secure identity and access management technologies, adopting a zero-trust architecture are some promising alternatives. By adapting these alternatives and staying vigilant, users can reinforce their online security against the ever-evolving tactics of cyber criminals.

PureID offers solutions that curate a robust defence against unauthorised access, heralding a more secure digital future for organizations. Embrace the resilience of passwordless authentication, reinforce your security posture with PureID, and navigate the cybersecurity landscape with renewed strength. The journey continues—Passwordless Authentication awaits.

Read Also

Breach Chronicles: MongoDB’s Unsettling Security Saga Unfolds

Securing Cloud Environments: Lessons from the Microsoft Azure Breach

Introduction

In the wake of the recent Microsoft Azure breach, it has become increasingly evident that organizations must prioritise enhancing their security posture to mitigate the risk of similar incidents in the future. This breach, attributed to compromised passwords & MFA manipulation, underscores the critical importance of implementing passwordless authentication solutions to strengthen overall security.

The Breach

The breach unfolded through a series of sophisticated maneuvers executed by cyber criminals to exploit weaknesses in Azure’s security framework. Initially, phishing emails targeted mid and senior-level executives, enticing them into disclosing their login credentials unwittingly. 

Armed with these credentials, attackers gained unauthorised access to Azure accounts, despite the presence of multi-factor authentication (MFA). By circumventing MFA and substituting victims’ MFA settings with their own, attackers maintained undetected access to Azure resources. 

They further obscured their identities using proxies, evading detection while seizing control of sensitive data and cloud resources.

This helps attackers bypass any poorly designed adaptive authentication solution relying on IP based access restriction or re-authentication.

How Microsoft Azure was Breached

The Lessons

  1. Phishing: Implement Phishing-Resistant Authentication Methods
    • Organisations must adopt phishing-resistant authentication methods to combat prevalent phishing attacks. Staff training alone may not suffice, necessitating solutions that minimise the risk of credential theft.
  2. Credential Theft: Go Passwordless
    • Enhanced credential security with multi-factor authentication is insufficient. Robust password management practices and adaptive MFA solutions have been and will continue to be breached unless you eliminate credentials altogether. Passwordless solutions are the optimal choice for enterprises, as they have been for quiet some time now. Both enterprises and individuals must recognise and adopt it as a standard practice.
  3. MFA Replacement: Implement Continuous Monitoring and Anomaly Detection
    • When you’re using credentials, it’s crucial to keep an eye on them. Continuous monitoring and anomaly detection play a vital role here. They help spot any unauthorised changes in MFA settings promptly, preventing any further access.
  4. Masking Location Using Proxies: Strengthen Adaptive Authentication Checks
    • Strengthening adaptive authentication checks is vital to detect suspicious activities like masked locations. Geo-location based authentication or behavioural biometrics can enhance authentication accuracy.
  5. Cloud Account Takeover: Implement Zero Trust Security Architecture
    • Implementing a Zero-trust security model is crucial to verify every access request, regardless of source or location. Granular access controls and continuous monitoring can mitigate the impact of cloud account takeovers.

Moving Forward

In the aftermath of this breach, organizations must prioritise fortifying their security posture to prevent similar incidents. While passwordless authentication solutions offer promising alternatives, organizations should also concentrate on strengthening existing security protocols, conducting regular security audits, and enhancing employee awareness to mitigate future threats effectively.

Conclusion

The breach of Microsoft Azure serves as a stark reminder of the imperative for proactive cybersecurity measures in safeguarding sensitive data and mitigating the risk of unauthorised access. 

By embracing passwordless authentication solutions and implementing a holistic security strategy, organizations can enhance their resilience against evolving cyber threats and safeguard their invaluable assets effectively.

Cloudflare Breach: Okta’s Ripple Effect

Abstract

In a recent revelation, Cloudflare disclosed a security breach on Thanksgiving Day, November 23, 2023. This blog delves into the timeline of events and emphasises the critical role of passwordless authentication in mitigating such breaches.

Breach Overview: Understanding the Thanksgiving Intrusion

In an orchestrated attack, threat actors exploited stolen credentials from the Okta security breach in October. Cloudflare’s internal systems, particularly the Atlassian server, became the focal point for unauthorised access and data compromise.

Compromised Credentials: The Fallout on Cloudflare’s Security

Despite the awareness of the Okta breach, Cloudflare’s failure to rotate service tokens that have very long validity and account credentials allowed threat actors to establish persistent access. This breach impacted Cloudflare’s Atlassian environment, leading to unauthorised access to sensitive documentation and a limited set of source code repositories.

Nation-State Attribution and the Real Culprit: Passwords

Cloudflare attributes the breach to a likely nation-state actor, mirroring the recent trend in cyber threats. However, one can suggest that the fundamental issue lies in the continued reliance on a vulnerable authentication method, which enables such breaches to unfold.

Highlighting the Key Issue: The Perils of Passwords

The breach underscores the inherent vulnerability of conventional password systems. Stolen Okta credentials served as the gateway for threat actors, exposing the limitations of password-centric security measures. This incident highlights the urgent need for organisations to transition towards passwordless authentication solutions & short session validity to fortify their security posture.

It’s the painful experience of passwords based login which forces admins and users to choose long term session tokens to minimise the number of logins.

PureID Solution: A Glimpse into a Secure Future

PureID offers a robust passwordless authentication solution that would have mitigated this breach. By eliminating the relevance of stolen credentials, PureID represents a paradigm shift in cybersecurity, providing a secure alternative to traditional password systems.

PureAUTH offers a simple & smooth login experience. This makes working with short term sessions and frequent login delightful.

Risk Mitigation: The Imperative of Passwordless Security

Cloudflare’s breach serves as a wake-up call for organizations to reevaluate their cybersecurity strategies. Embracing passwordless solutions, such as PureID, emerges as a proactive step to mitigate the risks associated with stolen credentials and enhance overall security.

Immediate Response: Cloudflare’s Security Reinforcement

In response to the breach, Cloudflare has initiated a comprehensive security reinforcement effort. Measures include mass credential rotation, system segmentation, forensic triage, and a meticulous review of all systems to ensure the threat actor’s access is fully revoked.

Ongoing Investigation: Collaboration for a Secure Future

Cloudflare’s ongoing collaboration with peers, law enforcement, and regulators emphasises dedication to assessing the breach’s full impact. This collaborative approach aims to implement additional preventive measures and adapt to the evolving landscape of cyber threats.

Conclusion: Advocating for Passwordless Security

The Cloudflare breach underscores the critical need to shift from traditional passwords and false passwordless systems to true passwordless authentication that can not be breached by stolen credentials. Passwordless solutions, like PureID, offer a robust defence against unauthorised access, heralding a more secure digital future for organisations.

Read Also:

MongoDB Security Incident: Navigating the Aftermath

Breach Chronicles: MongoDB’s Unsettling Security Saga Unfolds

On December 13, 2023, MongoDB, a prominent US-based open-source NoSQL database management system provider, faced a substantial security incident. This breach of MongoDB Atlas, a fully-managed cloud database, unfolded as unauthorised access infiltrated corporate systems, laying bare customer account metadata and contact information. The assailants employed a cunning phishing attack, exploiting support service applications. The consequences were dire – a trove of sensitive data, including customer names, phone numbers, and account details, left exposed in the turbulent aftermath of this cyber storm.

MongoDB Steps Explained

Intrusion Footprints: A List of IPs Disclosed

In a proactive move, MongoDB disclosed a comprehensive list of external IP addresses on their alerts page. These IPs were strategically employed by the unauthorised third party. Organisations are strongly advised to meticulously scrutinise their networks, diligently searching for any ominous signs of suspicious activity intricately linked to these disclosed IPs. If you spot these IPs, you’ve got unwelcome guests. Remember it’s time to act, and act fast.

MongoDB Breach

Phishing & Social Engineering – The Achilles’ Heel of Multi-Factor Authentication

MongoDB issues a resolute counsel to its user base, emphasising the critical need to bolster defences against the looming threats of social engineering and phishing. In response, the company advocates the implementation of multi-factor authentication (MFA), urging users to promptly update their MongoDB Atlas passwords as an additional layer of security.

Phishing attacks or social engineering can bypass and disable all types of MFA solutions, as seen time and again. The security incident under discussion started with phishing attacks. So implementing MFA will have zero security advantage but will only increase the cost, efforts and complexity of authentication.

GoPasswordless – The best protection for MongoDB

Going passwordless with PureAUTH will benefit in 2 broad ways to protect MongoDB or any other enterprise applications –

  1. Secure Authentication – PureAUTH offers passwordless authentication which is secure from phishing & social engineering attacks.
  2. Resilience in case of data breach – If data from the database like MongoDB is leaked due to mis-configurations, 0-day vulnerability or insider attacks etc, the adversary will not find any passwords, MFA seeds, swap-able public keys, or any usable data to carry out unauthorised access elsewhere.

Conclusion

Amidst the gloom, MongoDB presents a silver lining: Passwordless Authentication. It’s a call to transcend traditional password reliance for a more secure future. Fortify your defences with passwordless security. MongoDB users, the future beckons. Embrace the resilience of passwordless authentication, reinforce your security posture with PureID, and navigate the cyber security landscape with renewed strength. Passwords? Pfft, that’s so yesterday. The journey continues—Passwordless Authentication awaits.

2FA Evading Malwares on the rise

Writing after a long gap. We were engaged with Black Hat, DEFCON 28 & Blockchain Village 2020 remotely in #SAFEMODE. This was a great experience.

In my previous blog I had mentioned that in-mobile phishing apps stealing credentials are getting mainstream. Two weeks ago the media around the world was raked with the news of a new family of malware – Black Rock, stealing credentials from a wide variety of applications, not limited to the Banking sector only.

Malware

2FA Evading Malware Pedigree

We list families of Malware which are not only stealing passwords but also evading the conventional 2FA (Two Factor Authentication).

Malware FrameworkTarget ApplicationTarget AttributeImpactMore Reference
Black RockApp Related to Finance/ Banking Appssend, spam and steal SMS messages, inserts keyloggersCan steal otps and passwordsThreat Fabric
EventBotBanking, pPayment, money transfer, Cryptocurrency WalletsSMS, 2FA code/OTPs, *TAN codesCompromise of Banking application. FinanceCybereason
TrickMo/TrickBotTransactional AppsTransaction Authorization CodesCan be responsible for financial loss or can lead to unwanted transactionsIBM X-Force
Loki BotApp Related to Finance/ Banking Appssend, spam and steal SMS messages, inserts keyloggersCan steal otps and passwordsThreatfabric
RyukInitially to Email apps and then to Whole Machine/PCSystem filesInserts payloads and affects your system and asks for ransomDuo Security
CerberusGoogle Authenticator App2FA CodesCompromise of any platform associated with Google authenticator 
TechXplore

There are various malwares which are detected every month with different functions, These 2FA Evading Malwares are challenging organizations no matter if you add an extra factor on top of your passwords you are still vulnerable.

Cerberus Malware is in fact targeting Google Authenticator and compromising the class of apps relying on it.

SMS based OTPS are being phased out since 2017, due to an increase in SIM swapping attacks and industry started moving on TAN based authentication. PushTAN being the most popular. In this writeup we have seen that mobile app based trojans are stealing the temporary tokens rather than swapping SIM.

2FA

2FA fails to protect spare/phishing attacks

When it comes to protection against phishing or spear-phishing attacks targeting credentials, 2FA becomes irrelevant. Our founder Ajit Hatti in an interview with Mike Scialom discussed the spare phishing attacks racking UK politics.

PureID authentication system design is resistant to such malware as authentication happens using PKI and no credentials are involved.

Here is a demo video on how PureID can be useful for login without passwords more securely making sure no such malwares can do attacks like phishing, credential stealing or bypassing 2FA.

Conclusion

Time and again it has been proven that enterprises opting for 2FA for securing passwords end up increasing cost for enterprises, complexity for administrators, inconvenience for users and authentication remains insecure.