2024-06-11
Mandiant Reports on Snowflake Customer Data Theft Investigation
In a June 10 blog post, Mandiant writes that they have “identified a threat campaign targeting Snowflake customer database instances … using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims.” Mandiant says that they and Snowflake have notified at least 165 customers that they data may have been compromised. Snowflake says they are developing a plan to require MFA and other “advanced security controls.”
Editor's Note
Apple yesterday released its plan for future AI integration into its products. As part of this announcement, Apple also released an article about how it will address the privacy challenges around off-device computing. I hope strong security and privacy assertions will become the norm going forward, but on the other hand, am well aware that these decisions are often not made by engineers and the lowest bidder/first to market will prevail. Snowflake got to its position right now not because it is the most secure provider of AI compute services. Allowing users to quickly setup accounts with weak passwords probably helped them gain market share.
Johannes Ullrich
With our ever-increasing reliance on third-party vendors and cloud service providers we need to be more aware that this introduces a different set of risks. Customers of these services need to ensure that the security features provided by third parties meet their security and compliance requirements, but they also need to ensure they utilise the security features and functions available from those third parties. As with all outsourcing arrangements, you can outsource the function and/or business process but you cannot outsource the responsibility.
Brian Honan
We deal with a lot of these conversations in the Cloud Penetration Testing course because it has become increasingly apparent that the “shared responsibility model” defines infrastructure incidents well but has no bearing on shared security responsibility. In this case, if you didn’t protect your customer’s data, it’s on you, but the service provider is mostly in the news.
Moses Frost
Don't be lulled into a false sense of security that Snowflake is the only environment where compromised, reusable credentials are being targeted. Verify that you're enabling and enforcing MFA for your outsourced and cloud services, regardless of the service providers requirement. Then the harder task: requiring MFA for your services. The good news is with the IDP you had to deploy for cloud authentication, you can leverage that on your services. Start with low hanging fruit, then move to more challenging use cases.
Lee Neely
After more than thirty years, strong authentication can hardly be described as "advanced." It is both essential and effective.
William Hugh Murray
Read more in
Snowflake: Detecting and Preventing Unauthorized User Access
Google: UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion
Security Week: Snowflake Attacks: Mandiant Links Data Breaches to Infostealer Infections
Help Net Security: The number of known Snowflake customer data breaches is rising
Cyberscoop: As many as 165 companies ‘potentially exposed’ in Snowflake-related attacks, Mandiant says
Ars Technica: Hackers steal “significant volume” of data from hundreds of Snowflake customers
The Register: Snowflake customers not using MFA are not unique – over 165 of them have been compromised