Security news that informs and inspires

Snowflake: Customer Accounts Targeted in ‘Identity-Based Attacks’


Cloud-based data storage company Snowflake is urging its customers to implement multi-factor authentication (MFA) after observing a “targeted threat campaign against some Snowflake customer accounts.” The company, in a joint statement with Mandiant and CrowdStrike on Sunday, said that the attack did not stem from a breach of its platform, but instead leveraged compromised credentials for accounts that did not have MFA enabled.

The company released the statement after reports emerged of several companies discovering unauthorized access on databases hosted by Snowflake. In a Friday SEC filing, Live Nation Entertainment disclosed that it had discovered “unauthorized activity within a third-party cloud database environment” on May 20, which contained data from its subsidiary Ticketmaster. Meanwhile, earlier in May, Santander said that it became aware of unauthorized access to a database hosted by “a third-party provider,” with threat actors obtaining information related to customers of Santander Chile, Spain and Uruguay, as well as all current, and some former, employees.

Ticketmaster has reportedly confirmed that its stolen database was hosted on Snowflake, while a Santander spokesperson said it has no further comment "given ongoing investigation." Snowflake in its Sunday statement said that it is “investigating an increase in cyber threat activity targeting some of our customers’ accounts,” but stressed that the activity has not been caused by a vulnerability, misconfiguration or breach of its platform, or caused by compromised credentials of current or former Snowflake employees. Instead, the company said that identity-based attacks are being "directed at users with single-factor authentication.”

“As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware,” according to Brad Jones, CISO at Snowflake, in a Sunday statement. “Throughout the course of the investigation, Snowflake has promptly informed the limited number of Snowflake customers who it believes may have been affected. Mandiant has also engaged in outreach to potentially affected organizations.”

The statement also comes after a threat actor called Shiny Hunters claimed that it was selling data for both Santander and Ticketmaster. In a now-deleted post by Israeli cybercrime intelligence company Hudson Rock, meanwhile, the threat actor claimed that they accessed this data after a hack of Snowflake’s cloud storage services. Snowflake disputed this claim in its joint statement with Mandiant and Crowdstrike, saying the breaches did not stem from its products.

Snowflake said that it did find evidence that threat actors were able to obtain personal credentials for a former Snowflake employee, and they used those credentials to access that employee’s demo account. The demo account, which did not have MFA enabled, did not contain sensitive data and was not connected to Snowflake’s production or corporate systems, according to Snowflake.

In addition to enforcing MFA on all accounts, Snowflake is also urging customers to set up Network Policy Rules so that they only allow authorized users or traffic from trusted locations. Impacted organizations should reset and rotate their Snowflake credentials, said Jones. On Monday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also released a security advisory on the incident, calling it an "increase in cyber threat activity targeting customer accounts" and encouraging Snowflake users to hunt for any malicious activity and report their findings to the agency.

Alex Delamotte, senior threat researcher with SentintelLabs, said “there is a lot of conflicting information about this incident that suggests the default security configuration of Snowflake customer instances may not always be sufficient, though this does not indicate a breach of Snowflake itself.”

“The advice from Snowflake on mitigating this attack is telling: the recommendations are to enable MFA and restrict network policies,” said Delamotte. “These are basic security hygiene steps. It’s likely that the attackers behind these incidents discovered that many Snowflake customers were not following best practices, which explains the sudden uptick in such attacks.”

Snowflake on its website said that it supports MFA for users connecting to its platform, and that MFA support is provided as an integrated Snowflake feature. However, MFA is enabled on a per-user basis; users are not automatically enrolled in MFA and instead must enroll themselves, according to Snowflake. Snowflake “strongly recommends that all users with the ACCOUNTADMIN role be required to use MFA” at a minimum, according to its website. With the shared responsibility model, cloud service providers view certain practices - including MFA - as the responsibility of the end user, so that it’s a risk management decision that is up to end users to decide, said Toby Lewis, global head of threat analysis at Darktrace.

“Under the shared responsibility model, cloud service providers (CSPs) typically view certain practices such as MFA as the responsibility of the end-user, however, we are seeing increasing industry push-back on this type of thinking,” said Lewis.

This article was updated June 4 to reflect Santander's response to a request for comment and to add information about CISA's security alert.