Customers under identity-based cyberattack spree unmasked as snowflakes
In a series of recent attacks, over 160 companies have had their Snowflake customer databases compromised. The breaches, which have been ongoing since mid-April, were facilitated by inadequate identity and access controls, specifically the lack of multi-factor authentication (MFA).
According to Snowflake's Chief Information Security Officer (CISO), Brad Jones, the activities are not caused by a vulnerability, misconfiguration, or breach of Snowflake's platform. Instead, the threat actors have exploited weak identity controls, such as poor credential hygiene, misconfigured permissions, and inadequate token management.
The attacks have been extensively documented by CrowdStrike, Mandiant, and threat detection and incident response firm Mitiga. These companies are assisting with the ongoing investigation.
The repercussions of these breaches continue, with stolen data being resurfaced and further leaked well beyond the initial intrusion. Persistent credential reuse and insufficient handling of access tokens have been highlighted as root causes allowing long-term exposure of sensitive data within Snowflake environments.
To mitigate these threats, organizations are advised to strengthen their identity and access management (IAM), implement strict token hygiene, adopt least privilege access models, conduct regular audits and monitoring, and enhance incident response preparedness. Additionally, securing APIs that connect to cloud services and user training against social engineering are crucial steps to further reduce attack surfaces.
The Australian Signals Directorate has issued a high-alert advisory about increased cyberthreat activity relating to Snowflake customer environments. Impacted organizations should reset and rotate Snowflake credentials, and Snowflake has provided indicators of compromise and additional recommended actions for companies to investigate potential threat activity within their Snowflake customer accounts.
Attackers have directly extorted organizations and further pressured victims by publicly posting stolen data for sale on the dark web. The threat activity originated from commercial VPN IP addresses, and the demo account used by the attackers was not protected with Okta single sign-on or multifactor authentication.
Snowflake's investigation found that a threat actor obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee. The company has advised organizations to immediately enforce MFA on all accounts and set up network policy rules to ensure authorized use and traffic from trusted locations.
As SaaS applications become more prevalent, identity management has become the primary target for attackers. Organizations must recognize identity as the "soft underbelly" in the new cybersecurity landscape and implement comprehensive IAM controls as a foundation of defense.
[1] [Source 1] [2] [Source 2] [3] [Source 3] [4] [Source 4]
- The recent attacks on Snowflake customer databases were not caused by a vulnerability in Snowflake's platform, but rather by the exploitation of weak identity controls, such as poor credential hygiene and inadequate token management.
- The ongoing breaches have exposed sensitive data within Snowflake environments, with persistant credential reuse and insufficient handling of access tokens being identified as root causes.
- Organizations have been advised to strengthen their identity and access management, implement strict token hygiene, adopt least privilege access models, conduct regular audits and monitoring, and enhance incident response preparedness to mitigate these threats.
- The Australian Signals Directorate has issued a high-alert advisory about increased cyberthreat activity relating to Snowflake customer environments, and Snowflake has provided indicators of compromise for companies to investigate potential threat activity within their accounts.
