Cybercriminals can sniff out weak endpoints and poor cybersecurity diligence and phish for the necessary credentials to facilitate easier attacks
In April 2024, a trickle of leaked database records in the Dark Web were traced to a customer of Snowflake cloud storage. By 22 May, the number of leaked records had necessitated Snowflake to notify potential victims. Finally in June 2024, the tally had reached 165 “potentially exposed organizations” that were customers of the cloud data platform.
Worse, around 590m stolen records have been put on sale on the Dark Web that hackers have claimed were indirectly facilitated by the Snowflake customer database breaches.
Similarly, cloud communications firm Twilio recently announced in late June 2024 that hackers had taken advantage of “an unauthenticated endpoint” to identify data associated with the firm’s products, Authy, including 33m phone numbers. Ironically, the product in question is a second-factor authentication product meant for enhancing user security. What can we take away from these two high-profile cyber incidents linked to specialist firms that customers have entrusted their valuable data with? Could the breaches have been avoided, or were careless personnel involved?
Flood of industry commentaries
While social media platforms and industry news media are flooded with opinions, speculation and advice, two issues are of immediate concern: what can the firms involved, as well as their customers, do to prevent future breaches and patch up all current weak points now?
- Snowflake has already announced its decision to enable multi-factor authentication (MFA) by default for all newly created Snowflake customer accounts. This is likely due to experts’ findings that the login credentials that were being stored insecurely in logs for an extended period of time. This had facilitated an easy theft by infostealer malware that had found its way into the system, according to Patrick Tiquet, Vice President, Security and Compliance, Keeper Security. “This breach highlights the critical importance of basic cybersecurity measures, including the use of strong, unique credentials, secure credential storage and the value of MFA. The latter is not as universally applied as it should be, due to a number of factors: inconvenience; lack of awareness; perceived complexity and more. This can be overcome through the use of “a secure password manager that not only creates high-strength random passwords for every website, application and system, but also enables strong forms of MFA. A password manager can store MFA codes and autofill them, providing a seamless user experience by eliminating the second step to ensure accounts are protected with the highest level of security,” Tiquet said.
- Twilio has already fixed the unauthenticated endpoint involved. However, the damage has only just started: the data being sold online now will eventually spell negative implications for affected users, who are now at a significantly heightened risk of phishing attacks and SIM swapping,according to Darren Guccione, CEO and co-founder, Keeper Security. His advice is for affected users to be vigilant, and to know the signs of phishing attacks in order to prevent falling victim to imminent attacks using their stolen personal information. (See below for Guccione’s phishing vigilance advice).
According to one ethical hacker, an API endpoint that accepts data and gives responses on that data needs to be covered with both authentication and authorization processes — otherwise, that endpoint is an internal cybersecurity threat. Apparently, since the application in question is an MFA tool, hackers had been monitoring what phone numbers had been used for signup with the tool, and then performing a SIM swap to get the MFA code sent to another phone. Also, they are theorized by another cybersecurity expert to have fed a gigantic list of phone numbers from other data breaches in to an Authy API endpoint to see which numbers would be listed as being associated with an account. This vetted phone numbers could then be paired with other leaked information to identify targets for SIM swaps.
Building up phishing awareness
According to Guccione, the following reminders are timely for not only data breach victims but everyone in general. Watch out for
- Urgent language: This is because cybercriminals want the potential victim to act as quickly as possible so they do not have time to do more research or check with other people when submitting their personal information.
- Discrepancies in email addresses and domain names: If an email claiming to be from a boss, co-worker, or firm has an address and domain name that does not match proper official email domains, it is likely fake. Note that the spoofed email or web address may contain only a subtle difference, such as an “o” replaced with a “0”, or “.com” replaced with “.net”.
- Requests for personal information: Sudden requests for personal information are also a common phishing attempt indicator. If you receive an email, text message, or phone call from an unknown number claiming to be a company or someone you know, think twice before giving out your personal information — especially if you were not the one who initiated the conversation.
- Misspellings and grammatical errors: Before corporations send out emails to customers, the content usually goes through multiple rounds of reviews to ensure there are no errors. If you receive an email claiming to be from a company or individual and you notice errors, it is best not to click on anything in the email because it could be a phishing attempt.
With high-profile cyberattacks that are likely to have a snowball and cascade effect for years to come (due to massive amount of personal data being leaked and proliferated underground indefinitely), the organizations involved could have been more forthcoming and communicative. If they need a refresher in crisis management, here is another good set of tips.