Cloud Security Wake-Up Call: Why MFA Isn’t Enough


Cybercriminals are as innovative as they are brazen. As a leading Managed Service Provider, we’ve seen firsthand the evolution of cyber threats; the recent actions of the cybercriminal group UNC5537 underscore a critical lesson — relying solely on multifactor authentication (MFA) isn’t enough to protect your cloud data.

That might come as quite the shock; MFA is often considered the gold standard for credential protection… but it often isn’t enough.

In May alone, UNC5537 claimed over 560 million customer records from Ticketmaster and 30 million account records from Spain’s Santander Bank, posting the stolen data for sale on their leak site, BreachForums. Both companies acknowledged these breaches. The culprit? Not a technical vulnerability, but rather the exploitation of stolen credentials and weak MFA practices, as highlighted in Mandiant’s June 10 analysis:

“Mandiant’s investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake’s enterprise environment,” Mandiant stated in its analysis. “Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials.”

So what can we do? If MFA isn’t enough on its own, what are companies supposed to do?

Here’s 6 best practices to help protect your company:

Beyond MFA: A Multi-Layered Approach

  1. Implementing Comprehensive MFA: While MFA is a foundational security measure, it’s not foolproof. According to a recent report, while a significant number of workers and administrators use MFA, gaps remain. Over 60% of organizations have at least one root user or administrator without MFA enabled. At Leverage Technologies, we advocate for a consistent and enforced 100% MFA adoption across all accounts. Mandate and monitor MFA rigorously, and consider advanced measures like device or hardware-based authentication for critical systems.
  2. Access Control Lists (ACLs): Securing cloud access requires more than just MFA. Implementing ACLs to restrict authorized IP addresses can drastically reduce the risk of unauthorized access. Regularly review access logs to spot anomalies. We believe that restricting IP addresses is a necessary best practice for cloud infrastructure. If you’re getting pinged from IP addresses that you’re not expecting, you can monitor and restrict access much more effectively. If restrictions aren’t feasible, diligent access reviews become even more crucial.
  3. Enhancing Visibility into Cloud Services: Visibility is key. Continuously monitor applications, log data, and access activities. If you don’t have the staff or resource capabilities to do that in house, consider partnering with an MSP to handle this for you (wink wink). Tools that aggregate data sources into a comprehensive view can help detect and prevent breaches (basically, if you have a dashboard that collects all of this data for you, it makes it a lot easier to see and analyze what’s going on within your network and systems).
  4. Customizing Cloud Provider Settings: Relying on default settings provided by cloud service providers can be a big no no. Providers often prioritize usability over security, placing the onus on customers. For instance, Snowflake’s default settings do not require MFA, simplifying unauthorized access with compromised credentials. We highly recommend customizing your security settings to go beyond provider defaults.
  5. Auditing Third-Party Providers: Your security posture is only as strong as your weakest link, which includes third-party providers. Even if you’re not directly using a service like Snowflake, your data might still be at risk through third-party integrations. Regularly audit your service providers to ensure they adhere to stringent security practices. As the complexities of supply chains grow, understanding where your data resides and ensuring its protection is paramount.
  6. Train. Your. People.: We’ve written about this over and over again, but the weakest link in almost every cybersecurity posture is your people. If they’re not trained adequately, it’s nearly impossible to protect your systems from motivated or talented hackers. The cheapest and most effective tool for preventing breaches is simply training your people and arming them with the resources required to maintain best practices.

The breaches by UNC5537 serve as a stark reminder that cyber threats are ever-evolving. By adopting a multi-layered security approach, businesses can better protect their cloud data and stay ahead of cybercriminals. At Leverage Technologies, we’re committed to helping you navigate these challenges and fortify your security posture. We also know that a lot of this stuff is nowhere close to second nature for most companies that aren’t Fortune 500 large. We can help.