Hackers Exploit EPAM Worker’s Credentials to Access Snowflake Accounts
Direct Access Through Plaintext Credentials
Hackers claimed they accessed Snowflake accounts of EPAM customers using plaintext usernames and passwords found on an EPAM worker’s computer. When Snowflake credentials weren’t stored on the worker’s system, they used old credentials stolen in previous breaches by infostealer malware, including those harvested from the same EPAM worker in Ukraine.
Infostealer Malware and Credential Reuse
Credentials harvested by infostealers are often sold or posted online. If victims don’t change their login details after a breach, those credentials can remain active for years. This is especially problematic if the same credentials are used across multiple accounts. Hackers can identify users through their email addresses and try the same credentials in various places.
The hackers in this case used credentials stolen by an infostealer in 2020 to access Snowflake accounts.
Verification and Evidence
The Zero Byte couldn’t independently confirm the hackers’ claims of accessing the EPAM worker’s machine or using EPAM to breach Ticketmaster’s data and other Snowflake accounts. However, the hacker provided a file appearing to be a list of EPAM worker credentials from the company’s Active Directory database.
Mandiant, in a blog post, revealed that hackers used old data siphoned by infostealers to access Snowflake accounts. About 80 percent of the victims identified in the Snowflake campaign were compromised using previously stolen credentials.
Ransom Negotiations and Data Repositories
An independent security researcher, Reddington, who has been negotiating ransom transactions between the ShinyHunter hackers and victims, pointed to an online repository of data harvested by an infostealer. This included data from the EPAM worker’s computer in Ukraine, revealing the worker’s complete name, an internal EPAM URL pointing to Ticketmaster’s Snowflake account, and plaintext credentials.
“This means that [an EPAM worker] who had access to that Snowflake [account] had password-stealing malware on their computer, and their password was stolen and sold on the dark web,”
says Reddington.
EPAM’s Response
An EPAM spokesperson, when contacted by The Zero Byte, stated, “We do not comment on situations to which we are not a part.” The company suggested it did not believe it played any role in the campaign. When provided with details about how hackers accessed the system of an EPAM worker in Ukraine, the spokesperson replied, “Hackers frequently spread false information to advance their agendas. We maintain a policy of not engaging with misinformation and consistently uphold robust security measures to protect our operations and customers. We are continuing our exhaustive investigation and, at this time, see no evidence to suggest that we have been affected or involved in this matter.”
Potential Security Concerns
It’s possible the ShinyHunter hackers did not directly hack the EPAM worker but used old credentials from repositories. Reddington found data online used by nine different infostealers to harvest data from EPAM workers’ machines, raising concerns about the security of data belonging to other EPAM customers.
EPAM serves various critical industries, including banks, healthcare, and tech companies like Microsoft, Google, Adobe, and Amazon Web Services. It’s unclear if these companies have Snowflake accounts accessible by EPAM workers.
Third-Party Risks and Infostealers
The Snowflake campaign highlights the growing security risks from third-party companies and infostealers. Mandiant noted that multiple contractors were breached to gain access to Snowflake accounts. Contractors, often known as business process outsourcing (BPO) companies, are a potential gold mine for hackers because compromising a contractor’s machine can give direct access to multiple customer accounts.
“Contractors that customers engage to assist with their use of Snowflake may utilize personal and/or non-monitored laptops that exacerbate this initial entry vector,”
wrote Mandiant. These devices, often used to access multiple organizations’ systems, present a significant risk if compromised by infostealer malware.
Snowflake’s Response
Mandiant identified hundreds of customer Snowflake credentials exposed via infostealers since 2020. The lack of multifactor authentication (MFA) made the breaches possible. Snowflake’s CISO, Brad Jones, acknowledged last week that the lack of MFA enabled the breaches. Jones stated that Snowflake is working on giving customers the ability to mandate MFA for their accounts and plans to make MFA the default in the future.
2 Comments
Serious: If true, this could have severe repercussions for data security in cloud services.
Question: How did they even pull that off without getting caught immediately?