Multifactor Authentication Is Not Enough to Protect Cloud Data

A cybercriminals group known as UNC5537 has been on a tear.

Over the past month, the ransom gang, possibly related to ShinyHunters or Scattered Spider, stole more than 560 million customer records from Ticketmaster and posted it for sale on its reconstituted leak site, BreachForums, on May 28, asking for $500,000. Two days later, the group claimed to have stolen 30 millions account records from Spain-based Santander Bank, asking for a cool $2 million. Both companies acknowledged the breaches after the postings.

The cause of the data leaks — and at least 163 other breaches — appears not to be a vulnerability but the use of stolen credentials and poor controls on multifactor authentication (MFA), according to a June 10 analysis by incident-response firm Mandiant, part of Google.

"Mandiant's investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake's enterprise environment," Mandiant stated in its analysis. "Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials."

While the theft of data from Snowflake's systems could have been prevented by MFA, the companies' failures go beyond the lack of that single control. Businesses using cloud services need to make sure that they have visibility into their attack surfaces, quickly removing the accounts of former employees and contractors and reducing the avenues through which opportunistic attackers could compromise systems, networks, or services, says Chris Morgan, senior cyber threat intelligence analyst at cloud-native security platform provider ReliaQuest.

"The biggest lesson learned is that threat actors do not need to employ sophisticated techniques," he says. "Targeting the low-hanging fruit — in this case, insecure credentials — can be achieved with little effort from the threat actor but provides ample opportunities."

Here are five lessons from the latest spate of cloud breaches.

1. Start With MFA and Then Go Beyond

There is a lot of room for growth in the adoption of MFA. While 64% of workers and 90% of administrators used MFA, according to a report released a year ago, more than six out of every 10 organizations have at least one root user or administrator without MFA enabled on an account, according to Orca Security's "2024 State of Cloud report."

Businesses need to get to a consistent — and verifiable — 100%, says Ofer Maor, co-founder and chief technology officer at cloud-security firm Mitiga.

Companies should "make sure MFA is enforced and required, and if using [single sign-on], make sure non-SSO login is disabled," he says. "Go beyond traditional MFA [and] turn on additional security measures, such as device- [or] hardware-based authentication for sensitive infrastructure."

2. Use Access Control Lists to Limit Authorized IP Addresses

Organizations should also put access control lists (ACLs) in place, restricting where users can access a cloud service or at least enabling reviews of access logs on a daily basis to spot any anomalies.

This further limits the ability of cyberattackers, says Jake Williams, faculty analyst and cybersecurity practitioner at analyst firm IANS Research.

"Really, for pretty much any cloud infrastructure ... it is a best practice to restrict what IP addresses folks can come from," he says. "If you can't, then access reviews are all the more important to make sure that people aren't coming from someplace you don't expect."

3. Maximize Visibility Into Cloud Services

Companies need to also have a meaningful way of continuously monitoring for applications. Log data, access activity, and services that aggregate data sources into a complete picture can help companies detect and prevent attacks, like those on Snowflake.

In addition, organizations need to be able to alert on specific behavior or threat detections — an approach that would have detected the cybercriminals' attempts at accessing their cloud data, says Brian Soby, CTO and co-founder at AppOmni, a software-as-a-service security posture management firm.

"While security operations teams are spread thin and generally don't have the opportunity to develop deep expertise in the various applications used by their companies, their tooling and security platforms should have quickly identified these issues," he says. "In this scenario, there were certainly anomalous logins from unusual locations and the connection of highly questionable attacker applications to customer Snowflake instances."

4. Don't Rely on Your Cloud Providers' Defaults

While cloud-service providers like to emphasize that security is a shared responsibility model, unless an attacker breaches the cloud provider's infrastructure or software — such as in last year's vulnerabilities in Progress Software's MoveIT Cloud service and MoveIT Transfer software — the responsibility almost always falls onto the customer.

Yet, often cloud providers prioritize usability over security, so companies should not rely on their providers' defaults to be secure. There is a lot that Snowflake, for example, could have done to make managing MFA easier, include turning on the security control by default, says Mitiga's Maor.

"What enables this attack to be successful, and at this scale, is that the default setting of Snowflake accounts does not require MFA, meaning once you get a compromised username and password, you can get full access immediately," he says. "Normally, high-sensitivity platforms would require users to enable MFA. Snowflake not only does not require MFA but also makes it very hard for administrators to enforce this."

5. Check Your Third Parties

Finally, companies should also note that — even if they are not using Snowflake or another cloud service — a third-party provider may use the service for its back end, exposing their data to risk, says IANS Research's Williams.

"Your data may be in Snowflake, even if you're not using it," he says. "That's the complexities of supply chains today ... you're giving your data to a third-party service provider, who is then putting it into Snowflake and may or may not be using best practices."

Organizations should reach out to all of their service providers with access to their data and ensure that they are taking the proper steps to protect that information, Williams says.