Intensifying pressure faced by Snowflake and its clients as assaults multiply
In the tech world, Snowflake's Data Cloud Summit kicked off in San Francisco on Monday, but the company remained silent about a series of identity-based attacks targeting its customers that were first disclosed last Friday. These attacks, linked to a spree of similar intrusions, have reportedly affected at least four major companies, exploiting compromised credentials and sophisticated phishing techniques.
Snowflake has responded by implementing Multi-Factor Authentication (MFA) for all admin accounts, a move that came after the breaches occurred. Cybersecurity experts, however, have criticized this move as an afterthought. The attacks bypassed traditional security controls, using infostealer malware and account takeover methods.
To prevent future attacks, Snowflake and cybersecurity experts recommend the widespread use of MFA beyond just admins, enhanced detection and response mechanisms, vigilance against identity-based attack techniques, and the adoption of identity security best practices. These measures aim to protect identities as the primary entry point for breaches, monitoring for privilege escalation, insider threats, password sprays, and phishing attempts.
Snowflake, under its shared responsibility model, urges customers to enforce MFA with their users. The company supports MFA via the Duo Security service and strongly recommends that all users enable MFA, particularly those with account administrator privileges. Snowflake is also suspending certain user accounts where there are strong indicators of malicious activity and incrementally blocking IP addresses associated with the cyber threat.
As the investigation continues with assistance from CrowdStrike and Mandiant, Snowflake is informing customers it considers impacted and communicating with them about how to best protect themselves, including enabling MFA and implementing network access policies. The exact number of customers impacted remains undisclosed, but Snowflake previously described it as a "limited number of Snowflake customers."
Mandiant Consulting CTO Charles Carmakal stated that a threat actor likely obtained access to multiple organizations' Snowflake tenants by using credentials stolen by infostealing malware. Direct links between the victims and Snowflake's data warehouse environments, however, remain unconfirmed.
Snowflake has not finalized any plans for MFA enablement at this time. The company updated its initial disclosure on Sunday, emphasizing the need for customers to take proactive measures to secure their identities and data. The incident serves as a reminder for all organizations to prioritize identity protection and proactive threat detection to stop attackers at the identity level before data exfiltration occurs.
- Despite implementing Multi-Factor Authentication (MFA) for admin accounts following the identity-based attacks, cybersecurity experts criticized Snowflake for this move being an afterthought.
- The cybersecurity experts also recommended the widespread use of MFA beyond just admins, enhanced detection and response mechanisms, and the adoption of identity security best practices.
- Snowflake urges its customers to enforce MFA with their users under its shared responsibility model, particularly those with account administrator privileges.
- Mandiant Consulting CTO Charles Carmakal suggested that the threat actor likely obtained access to multiple organizations' Snowflake tenants by using credentials stolen by infostealing malware, despite direct links between the victims and Snowflake's data warehouse environments remaining unconfirmed.
