With firms coming ahead daily asserting impacts from their third-party cloud knowledge storage vendor, the Snowflake knowledge breach appears to be snowballing into one of many largest knowledge breaches of the digital age.
Right here’s the whole lot to know in regards to the Snowflake breach; we’ll replace this web page as new info turns into accessible.
Why the Snowflake Breach Issues
Snowflake is a outstanding U.S.-based cloud knowledge storage and analytics firm, with over 9,800 world clients. Its buyer base contains main companies like Adobe, AT&T, Capital One, DoorDash, HP, JetBlue, Mastercard, Micron, NBC Common, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Meals, Western Union, and Yamaha, amongst others.
Snowflake holds roughly a 20% share of the info warehouse market and was just lately ranked #1 on the Fortune Future 50 List, it a horny goal for cybercriminals. Nevertheless, it’s essential to notice that the breaches will not be essentially attributable to failures by Snowflake. The correlation doesn’t indicate causation, as emphasised by Snowflake’s Chief Info Security Officer Brad Jones. The corporate, together with its forensic companions, discovered no proof of vulnerabilities or breaches inside Snowflake’s platform.
Ongoing Investigation and Preliminary Leads to Snowflake Breach
On Could 31, Snowflake revealed that attackers accessed buyer accounts utilizing single-factor authentication. In keeping with preliminary outcomes, these attackers leveraged credentials obtained via infostealing malware.
Compromised Worker Account
Snowflake confirmed {that a} risk actor obtained credentials from a single former worker, accessing demo accounts that have been remoted from manufacturing and company programs. Snowflake’s core programs are protected by Okta and Multi-Issue Authentication (MFA) however the demo accounts lacked such safeguards.
Check Environments Focused
Demo accounts are sometimes neglected as safety risks. Regardless of assurances that these accounts don’t comprise delicate data, they continue to be engaging targets attributable to their perceived worth. Cybercriminals exploit the notion hole, understanding {that a} claimed breach of a high-profile firm like Snowflake can generate vital media consideration.
Assault Path
The preliminary entry level for the attackers was nearly definitely compromised credentials obtained via infostealing malware. Mandiant, who helped Snowflake in its investigation, confirmed that the compromised credentials have been from buyer situations and have been traced again to infostealer malware logs. A number of variants of infostealer malware have been used, together with VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, and METASTEALER.
Potential Causes for the Breach
Mandiant confirmed that there was no breach of Snowflake’s enterprise surroundings. They recognized that the majority credentials utilized by the attackers originated from historic infostealer infections. The dearth of MFA and failure to rotate credentials for as much as 4 years have been vital components. Community enable lists have been additionally not used to limit entry to trusted areas.
Unconfirmed Menace Actor Claims
The risk actor additionally claimed to have logged into Snowflake’s ServiceNow utilizing the identical credentials. This declare has neither been confirmed nor explicitly refuted by Snowflake. Different unknowns embody whether or not related strategies compromised different Snowflake workers, and the definition of “delicate” knowledge used for figuring out the impression on demo accounts.
The investigation is ongoing, however Snowflake stands by its preliminary findings.
Affected Clients from Snowflake Breach
The info breaches started in April 2024, and the corporate claimed it had impacted a “restricted” variety of Snowflake clients. Snowflake initially didn’t disclose the precise quantity or the names of all affected clients. Nevertheless, a complete report from Mandiant two weeks after the preliminary disclosure revealed that 165 clients have been impacted within the Snowflake knowledge breach.
Whereas some victims have been recognized via attackers’ gives to promote stolen knowledge, others have been revealed through necessary public disclosures. Most firms have but to verify the impression. Following is an inventory of all firms know to have been impacted within the Snowflake knowledge breach:
- Santander Group: The corporate confirmed a compromise with out mentioning Snowflake.
- Influence: Santander Bank workers and 30 million clients’ knowledge has allegedly been breached.
- TicketMaster (Stay Nation Leisure subsidiary): Confirmed through an SEC 8-Okay report, with Snowflake recognized because the third celebration concerned.
- Influence: 560 Million TicketMaster consumer particulars and card data probably in danger.
- LendingTree: Notified by Snowflake a few potential knowledge impression involving QuoteWizard.
- Influence: On June 1, a hacker going by the identify “Sp1d3r” posted on the cybercriminal platform BreachForums that they’d stolen the delicate info of over 190 million individuals from QuoteWizard. The alleged database included buyer particulars, partial bank card numbers, insurance coverage quotes and different info.
- Advance Auto Components: Unconfirmed by the corporate, however a darkish internet itemizing claimed vital knowledge theft.
- Influence: Similar actor as LendingTree claimed leak of 380 million clients and 358,000 former and present workers.
- Pure Storage: The Pure Storage knowledge breach concerned a 3rd celebration briefly getting access to the workspace, which housed knowledge comparable to firm names, LDAP usernames, e mail addresses, and the Purity software program launch model quantity.
- Influence: The identical risk actor often known as “Sp1d3r” claimed accountability, alleging the theft of three terabytes of knowledge from the corporate’s Snowflake cloud storage that was reportedly being offered for $1.5 million.
Tech Crunch discovered over 500 login credentials and internet addresses for Snowflake environments on a web site utilized by attackers to seek for stolen credentials. These included company e mail addresses present in a current knowledge dump from varied Telegram channels.
Safety Measures and Buyer Help
Snowflake Chief Info Safety Officer Brad Jones reiterated the corporate’s findings, asserting that the breaches weren’t attributable to any vulnerabilities, misconfigurations, or breaches of Snowflake’s platform or personnel credentials. Snowflake is collaborating with clients to reinforce safety measures and plans to mandate superior safety controls comparable to multi-factor authentication (MFA) and community insurance policies, particularly for privileged accounts.
The corporate acknowledges the friction of their MFA enrollment course of and is working to streamline it. The shared accountability mannequin locations MFA enforcement on clients, however Snowflake goals to make it a typical prerequisite because of the excessive sensitivity of the info saved of their cloud environments.
Key Suggestions for Snowflake Clients:
- Implement Multi-Issue Authentication: Make MFA necessary for all accounts, significantly these with privileged entry.
- Repeatedly Rotate Credentials: Be sure that all credentials are often up to date to forestall long-term publicity from earlier leaks.
- Implement Community Enable Lists: Prohibit entry to trusted IP addresses to reduce unauthorized entry.
- Improve Logging and Monitoring: Enhance logging and monitoring capabilities to detect and reply to suspicious actions promptly.
Snowflake has additionally revealed indicators of compromise and steps for detecting and stopping unauthorized consumer entry here.
Cloud safety agency Permiso has developed an open-source instrument dubbed “YetiHunter” to detect and hunt for suspicious exercise in Snowflake environments primarily based on the IoCs shared by Snowflake, Mandiant, DataDog, and its personal intelligence.
Editor’s Notice: This weblog might be up to date as further breach info from Snowflake and its clients turns into accessible or is claimed by risk actors on underground boards on the market. Hyperlinks and knowledge to any further IoCs associated to the Snowflake breach might be revealed right here too.
