Snowflake and Data Breaches, Part 3
6–19–2024 (Wednesday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Wednesday, June 19, 2024, and we’re going to do one more edition here on the Snowflake events, and then hopefully we’ll be able to talk about something else next week.
Snowflake and Data Breaches, Round 3
By way of a quick update, the most interesting piece in the last week or so has come from WIRED Magazine’s Kim Setter, in a piece where the attackers offered some additional details on how they breached Ticketmaster’s Snowflake account.
“according to one of the hackers who spoke with WIRED through a text chat, one of those firms was EPAM Systems, a publicly traded software engineering and digital services firm, founded by Belarus-born Arkadiy Dobkin, with current revenue of around $4.8 billion. The hacker says his group, which calls themselves ShinyHunters, used data found on an EPAM employee system to gain access to some of the Snowflake accounts”
Continuing the theme in this saga of simply saying “wasn’t us” - “EPAM told WIRED that it does not believe that it played a role in the breaches and suggested the hacker had fabricated the tale.” Turns out the “fake news” strategy works in more than just politics.
We’d had some idea that there was an additional third-party role in this data breach from Mandiant’s blog post - which we covered last week.
In that post, “Mandiant suggested that multiple contractors were breached to gain access to Snowflake accounts, noting that contractors—often known as business process outsourcing (BPO) companies—are a potential gold mine for hackers, because compromising the machine of a contractor that has access to the accounts of multiple customers can give them direct access to many customer accounts.”
“Contractors that customers engage to assist with their use of Snowflake may utilize personal and/or non-monitored laptops that exacerbate this initial entry vector,” wrote Mandiant in its blog post. “These devices, often used to access the systems of multiple organizations, present a significant risk. If compromised by infostealer malware, a single contractor's laptop can facilitate threat actor access across multiple organizations, often with IT and administrator-level privileges.”
The article, published this past Monday, has a couple of comments in the very last paragraph from Snowflake’s CISO nothing that “Snowflake is working on giving its customers the ability to mandate that users of their accounts employ multifactor authentication going forward, “and then we’ll be looking in the future to [make the] default MFA.”
Right now, and I’m very familiar with this since I was just helping a client do this in their Snowflake instance yesterday, users have to themselves both rotate any passwords and enable MFA. Since Snowflake is essential a big database, there’s the ability to write a query to see which users don’t have MFA enabled and see how old their passwords are, but even with an admin account, it’s not possible to force MFA, for password rotations, or do other things that might help manage this risk (e.g. kill all sessions and force re-authentication, etc.).
Couple this with the fact that lots of enterprises end up hiring consultants for this sort of technical implementation work - likely how EPAM got involved - and then you’re hoping that your contractors don’t have employees who use personal machines that are compromised to access your resources. It’s a long tail of risk, and we’re seeing compromised credentials wreaking havoc at hospitals in London and municipalities in the US this week, as well.
Truist Bank - formed by the 2019 merger of SunTrust and BB&T - also announced (with VERY FEW details) an October 2023 breach that resulted in the loss of “information on 65,000 employees, including bank transactions with names, account numbers, balances, and IVR funds transfer source code” - now for sale by the same threat actors that stole the TicketMaster data for $1 million.
For their part, Truist only acknowledged this data breach publicly once the data was posted for sale online. When asked if this was connected to the ongoing Snowflake attacks, the spokesperson said, "That incident is not linked to Snowflake. To be clear, we have found no evidence of a Snowflake incident at our company."
There’s a bit of potential weasel wording going on in that last sentence - the implication being that a “Snowflake incident at our company” might mean the Snowflake incident is at Snowflake, or one of Truist’s third parties, etc.
Lots and lots of buck passing here, with very little transparency. For as many chances as we’ve had to implement basic controls like MFA, and learn about the value of sharing threat intelligence to further the collective defense, I’ve got to put my dad hat on here and say “I’m not mad, I’m just disappointed.”
Let’s hope that we’ve got some better news to talk about next week, and if you haven’t made your users rotate passwords and add MFA on their Snowflake accounts, please spend the rest of your week getting that done.
Fundraising
From a fundraising perspective, we tallied more than $18.5B in newly committed capital as we race towards the end of Q2 and the close of the First Half.
The bulk of this volume was attributed to Swiss PE firm Partners Group, who raised more than $15b for its fifth fund and affiliated vehicles.
At the same time, we also saw an article in the Wall Street Journal titled “Pensions Piled Into Private Equity. Now They Can’t Get Out.” The article leads with a quote that “the honeymoon is over. The payouts have dried up, creating an expensive problem for investment managers overseeing the savings of workers retired from big corporations and state and city governments.”
The story of hold periods extending is nothing new to those of us in this space, but it’s starting to become a real problem for the LPs, which also makes it a real problem for the PE funds themselves.
This is going to either drive transactions or it’s going to drive balance sheet engineering based aroudn secondaries, lending, and shuffling assets to provide a little liquidity relief. So far, it seems like nearly every fund manager is choosing Option 2. Hard to say if that’s because they don’t feel like their assets are as robust as they’d need to be to support a sale, or if they’re happy with the growth and cashflow. My hunch? It’s the former, and the crash from zero or near-zero interest rates is going to be rough.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.wired.com/story/epam-snowflake-ticketmaster-breach-shinyhunters/
https://thehackernews.com/2024/06/lessons-from-ticketmaster-snowflake.html