Customers facing identity breaches in a series of targeted assaults based on identities
The Australian Signals Directorate has issued a high-alert advisory regarding increased cyberthreat activity targeting Snowflake customer environments. The company has not disclosed the number of customers affected, but has informed those believed to be impacted.
Investigations into these attacks are being assisted by cybersecurity firms CrowdStrike and Mandiant. According to the current understanding, this campaign appears to be a targeted attack on users with single-factor authentication.
Vulnerabilities in Identity and Access Controls
The compromises of Snowflake customer databases are largely due to inadequate identity and access controls. Common causes include excessive permissions granted to users, insufficient application of the principle of least privilege, lack of regular access audits, and poor management of authentication methods and credentials.
To address these risks, Snowflake recommends implementing Role-Based Access Control (RBAC) with narrowly defined roles and permissions, enforcing multi-factor authentication, applying the least privilege principle systematically, performing dependency mapping and phased rollouts, and limiting data sharing to read-only and tenant-specific scopes.
Excessive Permissions and Privilege Creep
Users or service accounts often receive more privileges than necessary over time. This can be mitigated by starting with the principle of least privilege — granting only the permissions users need to perform their roles — and regularly auditing and adjusting permissions to prevent privilege creep.
Inadequate Authentication Practices
Relying on deprecated or weak authentication methods, such as password-only authentication, contributes to breaches. Upgrading to strong authentication mechanisms (e.g., private key authentication, multi-factor authentication) and educating teams on safe login practices help ensure security.
Insufficient Role and Permission Management
Lack of structured roles and permission assignments can lead to data exposure. Snowflake supports SQL-based permission grants on warehouses, databases, schemas, and tables with roles that can be tightly scoped, which should be leveraged to create proper segregation of duties.
Poor Visibility and Lack of Monitoring
Not mapping all users, pipelines, and integrations that access Snowflake can result in overlooked attack vectors. The recommended approach includes mapping dependencies, deploying changes in phases, and monitoring access continuously to detect anomalies early.
Use of Shared or Overly Broad Access
Sharing databases or data without properly setting access controls risks unauthorized data exposure. It is recommended to limit shared database access and tenant scoping to protect data.
Recent Attacks on Snowflake Demo Accounts
A series of attacks has been targeting Snowflake's enterprise customers. In one instance, a demo account was not protected with Okta single sign-on or multifactor authentication. Researchers at Mitiga found that the threat activity originated from commercial VPN IP addresses, and attackers are extorting organizations and selling stolen data on the dark web.
Snowflake's investigation found that a threat actor accessed demo accounts belonging to a former employee, but the account did not contain sensitive data. Any SaaS solution that is configured without multifactor authentication is susceptible to being mass exploited by threat actors.
Recommended Actions for Impacted Organizations
Impacted organizations should reset and rotate Snowflake credentials. Snowflake has provided indicators of compromise and additional recommended actions for companies to investigate potential threat activity within their Snowflake customer accounts.
Snowflake advises organizations to immediately enforce multifactor authentication on all accounts and set up network policy rules to ensure authorized use and traffic from trusted locations.
Threat actors are using stolen corporate credentials to compromise enterprises, steal data, deploy ransomware, and conduct multifaceted extortion. The intrusions were largely due to Snowflake databases being configured without requiring multi-factor authentication. Snowflake became aware of potentially unauthorized access to certain customer accounts on May 23, and threat activity has been observed going back to mid-April.
Snowflake's CISO Brad Jones stated that there is no evidence suggesting the activity was caused by a vulnerability, misconfiguration, or breach of Snowflake's platform. Mandiant Consulting CTO Charles Carmakal stated that a threat actor likely obtained access to multiple organizations' Snowflake tenants by using credentials stolen by infostealing malware.
In light of these developments, it is crucial for organizations to prioritize the implementation of strong identity and access controls to protect their Snowflake customer environments.
- The high-alert advisory from the Australian Signals Directorate highlights a campaign of targeted attacks on Snowflake customer environments, utilizing vulnerabilities in Identity and Access Controls.
- These vulnerabilities often stem from excessive permissions granted to users, insufficient application of the principle of least privilege, lack of regular access audits, poor management of authentication methods and credentials, and inadequate role and permission management within Snowflake's systems.
- To remedy these risks, Snowflake recommends implementing Role-Based Access Control (RBAC) with narrowly defined roles and permissions, enforcing multi-factor authentication, applying the least privilege principle systematically, and limiting data sharing to read-only and tenant-specific scopes.
- After the recent attacks on Snowflake, it is essential for organizations to prioritize the implementation of strong identity and access controls to protect their Snowflake customer environments and prevent the deployment of ransomware, data theft, and multifaceted extortion.
