A group of 100 customers from Snowflake have been viciously targeted, with their data being seized for the purpose of blackmail.
In a recent turn of events, Snowflake, the cloud-based data warehouse company, has been hit by a series of identity-based attacks, according to cybersecurity firm Mandiant. The attacks, which started as early as April 2024, have reportedly resulted in a significant volume of stolen data from more than 100 Snowflake customers [1].
The threat actor, UNC5537, has been using stolen credentials to access Snowflake customer tenants. The common factors among impacted customer accounts include a lack of multifactor authentication (MFA), valid credentials obtained via infostealer malware, and the absence of network policy rules to limit access [1].
Mandiant Consulting CTO Charles Carmakal made these statements in a prepared statement on Monday. However, the exact number of impacted customers has not been independently confirmed by Snowflake.
Snowflake CISO Brad Jones announced a plan to require customers to implement advanced security controls such as MFA or network policies in a Friday update on Snowflake's community forum. The details of the plan are scant, including what exactly will be required of Snowflake customers and if MFA will be turned on by default across its platform [1].
The attacks primarily used stolen credentials obtained from multiple infostealer malware infections on non-Snowflake owned systems. Some of the stolen credentials date back to November 2020 [1]. Approximately 165 potentially exposed customers have been notified by Snowflake and Mandiant.
The attacks were first disclosed by Snowflake on May 30. Mandiant and CrowdStrike are assisting Snowflake with an ongoing investigation. It's important to note that the attacks were not caused by a breach of Snowflake's systems, according to Mandiant.
In response to such identity-based cloud attacks, standard recommended security controls typically include enforcing strong authentication mechanisms such as MFA, implementing least privilege access controls and regular permission audits, rotating and protecting credentials, monitoring and alerting on anomalous access or behavior patterns, and applying identity and access management (IAM) best practices and security frameworks [1].
These controls align with common cloud security best practices, which emphasize secure authentication, encryption, and adopting frameworks for protecting cloud infrastructure. Snowflake did not respond to a request for additional information on its security improvement plan.
The update from Mandiant comes as pressure mounts on Snowflake and its customers. As the investigation continues, it's crucial for Snowflake customers to prioritize their security measures and implement the recommended controls to protect their data.
[1] Source: Mandiant's Threat Intelligence Report, Various News Outlets
- The malware used by the threat actor, UNC5537, to steal Snowflake customers' credentials is identified as infostealer malware.
- In response to the ongoing identity-based attacks on Snowflake, cybersecurity firms Mandiant and CrowdStrike are offering assistance in the investigation.
- The incident response team at Snowflake has announced a plan requiring customers to implement advanced security controls like multifactor authentication (MFA) and network policies to enhance their cybersecurity protections.
- The general news and crime-and-justice sectors are reporting on the vulnerability in Snowflake's data-and-cloud-computing systems that was exploited by the threat actor, how the compromised data was obtained, and recommended security measures for Snowflake customers.
- The threat intelligence community warns that similar identity-based attacks could target other cloud-based data warehouses unless stringent data security and strong authentication mechanisms like MFA are implemented.
