Snowflake Customer Attacks Continue After Two Months

Among the most alarming of the cybersecurity incidents in the recent months has been a series of cyber attacks targeting customers of Snowflake, a leading cloud-based data warehousing service. The attacks commenced in April 2024. This blog aims to dissect these incidents comprehensively, examining their origins, impacts, technical underpinnings, responses, and the current state of affairs.

Genesis of the Crisis

The initial breach was detected in early April 2024 when several Snowflake customers reported unauthorized access to their data environments. This breach was particularly notable not only because of the scale and profile of the affected entities but also due to the sophistication of the attack vector employed by the cybercriminals. Snowflake, renowned for its robust security features and the isolation of customer data, found itself grappling with a vulnerability that had not been previously identified.

Escalation and Spread

Following the first reported incident, a pattern began to emerge. Over the next few weeks, similar attacks were reported by other Snowflake customers, including major corporations across finance and healthcare sectors—industries that deal with exceptionally sensitive data. Some of these corporations included Neiman Marcus, Advanced Auto Parts, Ticketmaster, Santander, and Pure Storage. These attacks were not isolated incidents but part of a coordinated campaign targeting specific vulnerabilities within Snowflake’s systems.

Dissecting the Attack Methodology

According to the Mandiant’s report(*) dated June 10, 2024, “…this cluster of activity [is tracked] as UNC5537, a financially motivated threat actor suspected to have stolen a significant volume of records from Snowflake customer environments. UNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims.

Mandiant’s investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake’s enterprise environment. Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials.”

The attackers exploited a zero-day vulnerability in Snowflake’s web application interface, which customers use for data management and analytics. This vulnerability allowed the attackers to perform SQL injection attacks, a common tactic where malicious SQL statements are inserted into an entry field for execution (e.g., to dump database contents to the attacker). This method allowed the attackers to elevate their privileges undetected and carry out data exfiltration activities seamlessly.

The SQL injections manipulated Snowflake’s systems into treating the attack actions as legitimate queries from authorized users. This stealth bypassed traditional detection methods that rely on spotting unusual access patterns, as the activities mimicked normal user behaviors.

These attacks were successful primarily due to three factors:

• The attacked accounts were not protected by Multi-Factor Authentication (MFA). Hence, only a username and password were enough to gain access to accounts.
• These credentials were still valid, sometimes after years, in the infostealer malware output. Many of these accounts’ credentials have been exposed in previous incidents, some of them years ago.
• The impacted customer instances didn’t have solutions in place that would allow access ONLY from trusted locations (i.e., network access lists).

Response to the Security Breach

Snowflake’s response was swift and multifaceted. Initially, the focus was on patching the exploited vulnerability to prevent further incidents. This immediate response was followed by a comprehensive security audit and enhancement of their systems’ threat detection capabilities. Snowflake collaborated closely with affected clients and external cybersecurity experts to fortify their defenses, ensuring such vulnerabilities could be identified and mitigated more rapidly in the future.

Additionally, Snowflake took significant steps to improve their overall security architecture (**), including:

• Strengthening their web application firewalls to detect and block SQL injection attempts.
• Enhancing monitoring tools to identify and alert on unusual data access patterns.
• Implementing stricter access controls and more rigorous authentication processes.

Broader Impact and Industry Response

The Snowflake attacks had a ripple effect across the tech industry, prompting many organizations to reassess their cloud security strategies. These incidents highlighted potential risks in even the most secure cloud environments and underscored the need for continuous vigilance and improvement in cybersecurity measures.

Industry forums and regulatory bodies have since increased their focus on cloud security, with several new standards and best practices being developed as a direct response to these incidents. Additionally, there is a growing demand for more advanced security solutions that can preemptively identify and neutralize sophisticated cyber threats before they impact business operations.

Current Status and Ongoing Concerns

As of today, the immediate threat from these specific Snowflake attacks has been mitigated, with no new breaches reported since the comprehensive security overhaul in late June 2024. However, the investigation remains active, with cybersecurity teams working to trace the origins of the attacks and understand the full scope of the compromise.

The identity of the attackers is still under investigation, though the sophistication and targeted nature of the breaches suggest the involvement of an organized cybercriminal group with advanced capabilities, possibly with financial or industrial espionage motives.

How can SASE architecture help incidents such as Snowflake Customer Breaches

A Secure Access Service Edge (SASE) solution, such as the one by Timus Networks, could be a pivotal asset in preventing incidents like the Snowflake customer attacks. Here’s how SASE can enhance the security posture for organizations using cloud services:

• Integrated Security Services: SASE combines networking and security functions into a single, unified cloud service. For Snowflake users, this means enhanced data security across all touchpoints and interfaces. The integration includes secure web gateways, and firewalls, zero-trust network access which work together to prevent unauthorized data access and leaks.

• Zero-Trust Network Access (ZTNA): ZTNA is a model where no entity is trusted by default from inside or outside the network, and continuous verification is required from everyone trying to access resources on the network. This could significantly mitigate the risk of unauthorized access like those seen in the Snowflake incident, where attackers used compromised credentials to access sensitive data.

• Advanced Threat Protection can identify and block sophisticated cyber threats in real-time. This is crucial for detecting and responding to zero-day exploits and SQL injection attacks that were utilized in the Snowflake breaches.

• Encryption and Secure Access: SASE ensures that data transmissions are encrypted, creating a secure tunnel for data traffic between users and cloud services. This helps protect sensitive data from being intercepted during transit, adding an extra layer of security against cyberattacks.

Conclusion

The Snowflake customer attacks serve as a stark reminder of the persistent and evolving nature of cyber threats. They underscore the necessity for continuous enhancement of cybersecurity defenses and proactive threat hunting to protect sensitive data. For us at Timus Networks, these incidents reinforce the importance of our mission to provide resilient and cutting-edge security solutions that can adapt to the ever-changing threat landscape.

RESOURCES:

(*) UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion

June 10, 2024

(**) Detecting and Preventing Unauthorized User Access Update (6-10-24) by Brad Jones (Snowflake), and Detecting and Preventing Unauthorized User Access: Instructions June 10, 2024