Snowflake Involvement in Recent Data Breaches
Recent breaches at Santander and Ticketmaster have been linked to compromised accounts at Snowflake, a major cloud storage provider. A threat actor has claimed responsibility, stating they accessed data through an employee’s account. However, Snowflake contests this, attributing the breaches to poorly secured customer accounts rather than vulnerabilities in their platform.
Details of the Snowflake Breaches
The cybersecurity firm Hudson Rock reported that the threat actor bypassed Okta’s secure authentication by using stolen credentials to sign into a Snowflake employee’s ServiceNow account. This allowed them to generate session tokens and exfiltrate data from Snowflake customers. The threat actor boasted about accessing data from other high-profile companies, including Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advance Auto Parts.
“To put it bluntly, a single credential resulted in the exfiltration of potentially hundreds of companies that stored their data using Snowflake, with the threat actor himself suggesting 400 companies are impacted,” Hudson Rock stated. They provided evidence of access to over 2,000 customer instances on Snowflake’s Europe servers.
The Extortion Attempt
The threat actor claims they attempted to blackmail Snowflake, demanding $20 million for the stolen data. Snowflake did not respond to these extortion attempts. Hudson Rock revealed that the data breach involved a Snowflake employee infected by Lumma-type Infostealer malware in October, which stole corporate credentials used to access Snowflake’s infrastructure.
Assistance and Investigations
Mandiant Consulting has been assisting Snowflake customers compromised in these breaches. According to Mandiant’s CTO Charles Carmakal, the threat actors likely used credentials stolen by information-stealing malware to gain access to victims’ Snowflake accounts. Carmakal emphasized the importance of implementing multi-factor authentication (MFA) and IP-based restrictions to protect SaaS solutions from mass exploitation.
While Snowflake did not confirm Hudson Rock’s report, they acknowledged that customer accounts had been compromised. The company stated that the breaches did not result from any vulnerability or misconfiguration in Snowflake’s products. Snowflake’s CISO Brad Jones confirmed that unauthorized access to certain customer accounts was detected on May 23, 2024, and that increased threat activity was observed beginning mid-April 2024.
Security Measures and Recommendations
Snowflake has notified all affected customers, urging them to secure their accounts by enabling MFA. The company also published a security bulletin with Indicators of Compromise (IoCs), investigative queries, and advice on securing accounts. One of the IoCs indicated that the threat actors created a custom tool named ‘RapeFlake’ to exfiltrate data from Snowflake’s databases. Another showed the use of DBeaver Ultimate data management tools for connecting to databases, with logs indicating client connections from the ‘DBeaver_DBeaverUltimate’ user agent.
Implications for Cloud Data Security
The breaches involving Snowflake highlight significant security challenges within the cloud data storage industry. The incident underscores the critical importance of securing employee credentials and implementing robust security measures such as MFA. Companies relying on cloud services must remain vigilant and proactive in safeguarding their data against sophisticated cyber threats.
The recent breaches at Santander and Ticketmaster, linked to compromised Snowflake accounts, reveal vulnerabilities in cloud data security. Despite Snowflake’s robust security infrastructure, the misuse of employee credentials and the lack of MFA among customers played a significant role in these incidents. As cloud services continue to be integral to business operations, the emphasis on securing accounts and data becomes paramount. Enhanced security protocols, vigilant monitoring, and comprehensive threat response strategies are essential to mitigate risks and protect sensitive information.
More News: Tech News
