☕ Good morning Security Gang — coffee cup cheers,

Saturdays are for pausing, grabbing perspective, and reading between the lines of the week’s chaos. This week’s theme couldn’t be sharper: ransomware isn’t about malware anymore. It’s about trust, tokens, and supply chains. And if you think that’s hype, let’s walk through how Drift, Snowflake, and recent ransomware campaigns all prove the point.

🚨 The Evolution of the Playbook

Ransomware Reimagined

Classic ransomware meant encrypting your hard drive and demanding Bitcoin. Today’s crews know encryption alone is too noisy and too reversible. Instead, they steal your data, post snippets online, and dangle the full leak over your head. As Kovrr pointed out in their Snowflake analysis, attackers now lean on regulatory leverage — threatening fines, lawsuits, and shareholder blowback to drive ransom negotiations.

Take LoanDepot and Henry Schein. Months after disclosure, they’re still wrestling with regulatory questions and financial underperformance. That’s the long tail of modern ransomware: operations restart, but trust and compliance drag on.

Vendors as the New Perimeter

Your SOC might be world-class, but if your vendor leaves the door open, you’re exposed. Farmers Insurance learned this when over 1.1 million customer records were compromised via a third-party integration. As IANS Research stressed after Snowflake, it’s not just your vendors you must worry about — it’s your vendors’ vendors, the “tier-2” risk.

Tokens as Crown Jewels

The shift is clear: OAuth tokens and stale credentials have become keys to the kingdom. Unlike passwords, tokens often don’t expire quickly, carry wide scopes, and bypass MFA entirely. That’s how Salesloft Drift (2025) turned into a cascading breach — tokens were stolen, Salesforce APIs were accessed, and buried secrets like AWS keys and Snowflake tokens became pivots into even deeper systems according to Unit 42.

📉 Case Study Snapshots

Salesloft–Drift (2025)

When UNC6395 stole Drift OAuth tokens, hundreds of Salesforce tenants suddenly became open books. Unit42 documented not just mass exfiltration but anti-forensic moves — adversaries deleted their own queries to hide evidence. Cloudflare called it a “sophisticated supply chain attack targeting B2B integrations” after confirming Salesforce case data exposure. Even top security firms like Zscaler and Palo Alto Networks admitted customer details were touched, with Zscaler warning this highlights “the vulnerabilities inherent in interconnected ecosystems.

Google’s threat intel team warned bluntly: any Drift integration, not just Salesforce, should be considered compromised. That’s a stunning indictment of SaaS sprawl.

Snowflake (2024)

This wasn’t a breach of Snowflake itself — it was a breach of customer posture. UNC5537 used infostealer-harvested creds (some dating back years) to log into customer tenants where MFA wasn’t enabled. The Cloud Security Alliance labeled it a “watershed moment,” proof that identity, not firewalls, is the modern perimeter.

Victim count? Estimates vary from 100 to 165+ customers, with Wired listing it among the worst hacks of 2024. Snowflake’s CEO went on record: the problem was customer security choices, not the platform itself. But here’s the rub: many organizations had no clue their downstream SaaS vendors were parking their data in Snowflake. Once again — supply chain, not endpoint.

Ransomware in the Supply Chain

Add in classic ransomware cases and the picture sharpens:

• Ingram Micro — struck over July 4th weekend, operations frozen, global resellers stuck in limbo.

• Farmers Insurance — customer data leaked via vendor.

• LoanDepot & Henry Schein — proof that breach fatigue doesn’t fade for regulators or investors.

The evolution isn’t separate stories — it’s one trendline.

🔑 Practitioner Lessons

1. Identity > Endpoint
   Snowflake shows how stolen creds can bypass every endpoint agent. CSA hammered this home: IAM must include MFA, SSO, and monitoring. If you’re still thinking in firewalls and endpoints, you’re blind to where attackers really are.

2. SaaS as Soft Underbelly
   The Drift breach turned Salesforce into a credential farm. Secrets like AWS keys and VPN creds, stored casually in tickets, became the stepping stones for deeper compromise. SaaS isn’t an “app” anymore — it’s the bloodstream of your business.

3. Negotiation Pressure is Regulatory
   Modern ransom notes reference the SEC, FTC, or EU’s NIS2. They weaponize compliance fines. As Kovrr observed, inconsistent Snowflake disclosures only amplified ransom leverage. Your adversaries now understand your boardroom pressures as well as you do.

4. The Blast Radius is Always Bigger
   Farmers Insurance didn’t just lose customer trust; it became a case study for how one vendor’s weak IAM exposes millions. Drift didn’t just impact Salesforce tenants — it cascaded into AWS and Snowflake environments.

🛡 The CISO Playbook

• Identity & Tokens:

  • Make phishing-resistant MFA non-negotiable — Snowflake proved what happens without it.

  • Inventory and allowlist OAuth apps; revoke Drift integrations now.

  • Assign human owners to all service accounts and rotate secrets frequently.

• Data & SaaS Hygiene:

  • Purge secrets from CRM and ticket fields — use a vault.

  • Monitor SaaS logs for bulk exports, SOQL queries, or deleted jobs — exactly the tactics UNC6395 used.

  • Set quotas and throttles for mass SaaS exports.

• Response & Governance:

  • Run a Friday 4:30pm tabletop simulating OAuth/token abuse.

  • Pre-approve leak-site comms with PR and counsel.

  • Mandate contracts require MFA, evidence retention, and breach notification SLAs.

☕ James Azar’s CISO Take

We’re not losing to zero-days. We’re losing to outsourced trust. We connected SaaS platforms like Lego blocks, handed out tokens like candy, and hoped vendors were as disciplined as we are. They’re not.

As I’ve said before: identity is the new perimeter, tokens are the new endpoints, and vendors define your blast radius. If you’re not tracking OAuth scopes like admin credentials, you’re already breached — you just don’t know it yet.

The winners won’t be those with the most tools; they’ll be the ones who engineer for blast-radius reduction. Limit token scope. Hunt SaaS logs. Drill vendor compromise scenarios. Don’t just defend your perimeter — defend your supply chain of trust.

Leave a comment

📌 Action Items for the Week Ahead

• Revoke/rotate all Drift OAuth tokens.

• Run Mandiant’s Snowflake hunting queries on your tenants.

• Assign owners and rotation cycles for all service accounts.

• Purge credentials from CRM/ticket fields.

• Run a vendor compromise tabletop before next Friday.

• Update contracts to mandate MFA + shared liability.