The Article Tells The Story of:
- Hackers used stolen credentials to breach Snowflake accounts, affecting 400+ companies.
- A $20M extortion attempt followed, linked to malware.
- Lack of MFA and poor account security enabled the breach.
- Snowflake urged MFA adoption and issued security guidelines.
A Look into the Snowflake Data Breaches
Recent data breaches at Santander and Ticketmaster have brought Snowflake, a cloud storage provider, into the spotlight. Hackers claimed they accessed data through an employee’s compromised account. However, Snowflake denied internal vulnerabilities, attributing the issue to poorly secured customer accounts.
Cybersecurity firm Hudson Rock revealed that a threat actor bypassed Okta’s authentication system. Using stolen credentials, the attacker accessed a Snowflake employee’s ServiceNow account, generating session tokens to extract data. This breach reportedly impacted hundreds of companies, with the threat actor boasting access to data from organizations like Anheuser-Busch, State Farm, Mitsubishi, and more.
Hudson Rock emphasized, “One stolen credential caused potential exposure for 400 companies storing data with Snowflake.” Evidence showed access to over 2,000 customer instances on Snowflake’s Europe servers.
Check Out Latest Article of judge finds NSO Group liable for hacking WhatsApp. December 22, 2024 – SquaredTech
Extortion and Investigation Efforts
The hacker attempted to blackmail Snowflake, demanding $20 million. Snowflake ignored these threats. Investigations later revealed that the breach stemmed from malware, specifically Lumma Infostealer, which compromised corporate credentials in October.
Mandiant Consulting stepped in to support affected customers. According to Mandiant’s CTO, attackers likely used stolen credentials from malware to infiltrate Snowflake accounts. He stressed the need for multi-factor authentication (MFA) and IP-based restrictions to prevent mass exploitation.
Snowflake’s CISO, Brad Jones, confirmed unauthorized account access was detected on May 23, 2024. Increased threat activity had been observed since mid-April.
Mitigating Cloud Security Risks
Snowflake responded by notifying affected customers and recommending urgent security measures, including MFA activation. The company released a bulletin featuring Indicators of Compromise (IoCs) and tools for account protection.
One notable IoC revealed that hackers created a custom tool named ‘RapeFlake’ for data extraction. Another IoC highlighted the use of DBeaver Ultimate, a data management tool, to connect and retrieve database information.
While Snowflake denied vulnerabilities in their platform, the breaches underscore broader challenges in securing cloud data. Misuse of credentials and lack of MFA played pivotal roles in these incidents.
Key Takeaways for Cloud Security
The Snowflake breaches are a stark reminder of the growing need for robust account protection. Businesses must implement strong security protocols, including:
- Enabling MFA on all accounts.
- Monitoring accounts for unusual activity.
- Restricting access through IP-based controls.
As cloud services remain critical to business operations, safeguarding sensitive information from sophisticated cyber threats is more important than ever.
More News: Tech News