Customers targeted in a wave of identity-based cyber assaults labeled as Snowflake incidents
In a recent development, Snowflake, the cloud-based data warehousing platform, has been the subject of targeted attacks. Researchers at Mitiga posted about the threat activity on their blog on a Friday, highlighting the ongoing cyberthreat activity related to Snowflake customer environments [1].
The Australian Signals Directorate issued a high-alert advisory about these developments. A series of attacks has been targeting Snowflake's enterprise customers, with some impacted organizations advised to reset and rotate Snowflake credentials [3].
Snowflake's Chief Information Security Officer (CISO), Brad Jones, has confirmed that there is no evidence suggesting the activity was caused by a vulnerability, misconfiguration, or breach of Snowflake's platform [2]. Instead, it appears that threat actors opportunistically search for corporate credentials stolen by infostealing malware and use them to compromise enterprises, steal data, deploy ransomware, and conduct multifaceted extortion [1].
One such instance involved a threat actor accessing demo accounts belonging to a former Snowflake employee. However, these accounts did not contain sensitive data [2].
To secure Snowflake's cloud-based data warehouses, Snowflake recommends several essential steps. First and foremost, enable Multi-Factor Authentication (MFA) to require users to provide a second verification factor beyond passwords [1]. This measure reduces risks from stolen credentials or phishing attacks.
Second, apply the Principle of Least Privilege by continuously auditing and restricting user permissions so access aligns strictly with job functions [2]. This mitigates risks from excessive privileges.
Third, use Role-Based Access Control (RBAC) to leverage Snowflake’s fine-grained, role-based security policies [1][3]. This control allows for data masking and row access policies, enabling organizations to control data visibility at a granular level.
Fourth, plan phased migrations when updating authentication methods to avoid service disruption and detect issues early [2].
Lastly, educate teams on security best practices, enhancing awareness of safe login habits, phishing prevention, and secure handling of authentication tokens or keys [2].
Snowflake's Cloud Services Layer manages authentication and access control centrally, supporting these security mechanisms with end-to-end encryption and continuous monitoring for unauthorized activities [1]. Together, these measures form a comprehensive security framework to protect against targeted attacks on data warehouses.
CrowdStrike and Mandiant are assisting in the investigation of these attacks, and Snowflake has provided indicators of compromise and additional recommended actions for companies to investigate potential threat activity within their Snowflake customer accounts [3]. Snowflake also shared a link to a community forum post about the attack on the social platform X [4].
In conclusion, the recent targeted attacks on Snowflake's data warehouses underscore the importance of strong identity verification and minimal access rights in addressing emerging cloud security threats effectively [1][2][3]. By implementing MFA, enforcing the Principle of Least Privilege, using RBAC, planning phased migrations, and educating teams on security best practices, organizations can significantly reduce their risk of falling victim to similar attacks.
[1] Snowflake. (2022). Snowflake Security Best Practices. Retrieved from https://docs.snowflake.com/en/user-guide/security-best-practices.html
[2] Snowflake. (2022). Snowflake Security Overview. Retrieved from https://docs.snowflake.com/en/user-guide/security-overview.html
[3] Snowflake. (2022). Snowflake Security Alert: Protecting Against Targeted Attacks. Retrieved from https://community.snowflake.com/s/article/Snowflake-Security-Alert-Protecting-Against-Targeted-Attacks?language=en_US
[4] Snowflake. (2022). Snowflake Security Alert: Protecting Against Targeted Attacks. Retrieved from https://community.snowflake.com/s/article/Snowflake-Security-Alert-Protecting-Against-Targeted-Attacks?language=en_US
- The recent cyberthreat activity related to Snowflake customer environments has led to a need for incident response, particularly in regards to malware, ransomware, and data theft.
- Snowflake recommends enabling Multi-Factor Authentication (MFA) and applying the Principle of Least Privilege to reduce risks from stolen credentials or phishing attacks and minimize access rights.
- To protect data warehouses from targeted attacks, it's essential to employ Role-Based Access Control (RBAC) for data masking and row access policies, plan phased migrations, and educate teams on security best practices.
- As Snowflake's cloud-based data warehousing platform faces targeted attacks, understanding the importance of strong identity verification and minimal access rights in addressing emerging cloud security threats is crucial in implementing effective security measures.
