Intensifying Scrutiny Faces Snowflake and Its Clientele as Assaults Escalate
In a series of recent cyberattacks, Snowflake customers have been targeted, with the attacks appearing to be a targeted campaign directed at users with single-factor authentication (SFA). Despite the ongoing investigation, no publicly confirmed direct links have been established to link the breaches directly to the use of SFA.
However, industry analyses strongly suggest that the lack of multi-factor authentication (MFA) or weak login protections has contributed significantly to enabling these identity-based intrusions.
The June 2024 Snowflake data breach, which affected major companies like AT&T and Ticketmaster, emphasizes the necessity of MFA and strong access controls. Relying on SFA increases vulnerability to credential theft and account takeover.
Security experts and corporate advisories urge cloud service providers and customers to enable MFA on all accounts to reduce such risks. The attackers in these incidents gained access using identity-based techniques like stolen credentials, which are typically more easily leveraged if only SFA is in place.
While Snowflake does support MFA via Duo Security service, it does not enforce MFA by default and does not require its customers to use MFA, according to user documentation. Under Snowflake's shared responsibility model, customers are responsible for enforcing MFA with their users.
Snowflake is communicating with its customers about how to best protect themselves, including enabling MFA and network access policies. The company is also incrementally blocking IP addresses associated with the cyber threat and suspending certain user accounts where there are strong indicators of malicious activity.
However, the exact number of customers impacted remains undisclosed, with Snowflake previously describing it as a "limited number of Snowflake customers." More major businesses are likely impacted by attacks targeting Snowflake customer environments.
Snowflake's Data Cloud Summit, which kicked off in San Francisco on Monday, did not address or publicly comment on the identity-based attacks targeting its customers during the event. The company has not revealed any plans for MFA enablement, stating only that it is considering all options.
Snowflake strongly recommends that all users enable MFA, particularly those with account administrator privileges. Enabling MFA is considered a critical recommended mitigation to reduce similar incidents going forward. The direct links between the victims and Snowflake's data warehouse environments remain unconfirmed.
Investigations are ongoing, with assistance from cybersecurity firms CrowdStrike and Mandiant. Mandiant Consulting CTO Charles Carmakal stated that a threat actor likely obtained access to multiple organizations' Snowflake tenants by using credentials stolen by infostealing malware.
As the investigation continues, it is clear that the importance of MFA in securing cloud environments cannot be overstated. Snowflake and its customers must take proactive measures to ensure the safety and security of their data.
- The lack of multi-factor authentication (MFA) in Snowflake's system, as seen in the user documentation, might have contributed to the identity-based intrusions experienced by some customers.
- Snowflake's Report of the June 2024 data breach emphasized the necessity of MFA and strong access controls, as major companies like AT&T and Ticketmaster were among the affected businesses.
- Investigations by cybersecurity firms CrowdStrike and Mandiant suggest that a threat actor may have gained access to multiple organizations' Snowflake tenants via infostealing malware, employing credentials stolen from initial victims.
- Security experts and corporate advisories urge Snowflake customers to take proactive measures to ensure the safety and security of their data, including enabling MFA and network access policies, in response to the ongoing series of cyberattacks.
