Snowflake: Customer Accounts Targeted in ‘Identity-Based Attacks’

Snowflake: Customer Accounts Targeted in ‘Identity-Based Attacks’

Cloud storage company Snowflake is urging its customers to implement multi-factor authentication (MFA) after observing a “targeted threat campaign against some Snowflake customer accounts.” The company, in a joint statement with Mandiant and CrowdStrike on Sunday, said that the attack did not stem from a breach of its platform, but instead leveraged compromised credentials for accounts that did not have MFA enabled.

The company released the statement after reports emerged of several companies discovering unauthorized access on databases hosted by Snowflake. In a Friday SEC filing, Live Nation Entertainment disclosed that it had discovered “unauthorized activity within a third-party cloud database environment” on May 20, which contained data from its subsidiary Ticketmaster. Meanwhile, earlier in May, Santander said that it became aware of unauthorized access to a database hosted by “a third-party provider,” with threat actors obtaining information related to customers of Santander Chile, Spain and Uruguay, as well as all current, and some former, employees.

Ticketmaster has reportedly confirmed that its stolen database was hosted on Snowflake, while Santander has not responded to a request for comment. Snowflake in its Sunday statement said that it is “investigating an increase in cyber threat activity targeting some of our customers’ accounts,” but stressed that the activity has not been caused by a vulnerability, misconfiguration or breach of its platform, or caused by compromised credentials of current or former Snowflake employees. Instead, the company said that identity-based attacks are being “directed at users with single-factor authentication.”

“As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware,” according to Brad Jones, CISO at Snowflake, in a Sunday statement. “Throughout the course of the investigation, Snowflake has promptly informed the limited number of Snowflake customers who it believes may have been affected. Mandiant has also engaged in outreach to potentially affected organizations.”

Snowflake said that it did find evidence that threat actors were able to obtain personal credentials for a former Snowflake employee, and they used those credentials to access that employee’s demo account. The demo account, which did not have MFA enabled, did not contain sensitive data and was not connected to Snowflake’s production or corporate systems, according to Snowflake.

In addition to enforcing MFA on all accounts, Snowflake is also urging customers to set up Network Policy Rules so that they only allow authorized users or traffic from trusted locations. Impacted organizations should reset and rotate their Snowflake credentials, said Jones.

Alex Delamotte, senior threat researcher with SentintelLabs, said “there is a lot of conflicting information about this incident that suggests the default security configuration of Snowflake customer instances may not always be sufficient, though this does not indicate a breach of Snowflake itself.”

“The advice from Snowflake on mitigating this attack is telling: the recommendations are to enable MFA and restrict network policies,” said Delamotte. “These are basic security hygiene steps. It’s likely that the attackers behind these incidents discovered that many Snowflake customers were not following best practices, which explains the sudden uptick in such attacks.”

Snowflake on its website said that it supports MFA for users connecting to its platform, and that MFA support is provided as an integrated Snowflake feature. However, MFA is enabled on a per-user basis; users are not automatically enrolled in MFA and instead must enroll themselves, according to Snowflake. Snowflake “strongly recommends that all users with the ACCOUNTADMIN role be required to use MFA” at a minimum, according to its website. With the shared responsibility model, cloud service providers view certain practices – including MFA – as the responsibility of the end user, so that it’s a risk management decision that is up to end users to decide, said Toby Lewis, global head of threat analysis at Darktrace.

“Under the shared responsibility model, cloud service providers (CSPs) typically view certain practices such as MFA as the responsibility of the end-user, however, we are seeing increasing industry push-back on this type of thinking,” said Lewis.

Go to Source