×
Discover our latest MSP Partner Case Study with ITFR
Read Now!Among the most alarming of the cybersecurity incidents in the recent months has been a series of cyber attacks targeting customers of Snowflake, a leading cloud-based data warehousing service. The attacks commenced in April 2024. This blog aims to dissect these incidents comprehensively, examining their origins, impacts, technical underpinnings, responses, and the current state of affairs. […]
Author
Date
Category
All Categories
Contents
Popular Posts
Product
Join the Newsletter
Among the most alarming of the cybersecurity incidents in the recent months has been a series of cyber attacks targeting customers of Snowflake, a leading cloud-based data warehousing service. The attacks commenced in April 2024. This blog aims to dissect these incidents comprehensively, examining their origins, impacts, technical underpinnings, responses, and the current state of affairs.
The initial breach was detected in early April 2024 when several Snowflake customers reported unauthorized access to their data environments. This breach was particularly notable not only because of the scale and profile of the affected entities but also due to the sophistication of the attack vector employed by the cybercriminals. Snowflake, renowned for its robust security features and the isolation of customer data, found itself grappling with a vulnerability that had not been previously identified.
Following the first reported incident, a pattern began to emerge. Over the next few weeks, similar attacks were reported by other Snowflake customers, including major corporations across finance and healthcare sectors—industries that deal with exceptionally sensitive data. Some of these corporations included Neiman Marcus, Advanced Auto Parts, Ticketmaster, Santander, and Pure Storage. These attacks were not isolated incidents but part of a coordinated campaign targeting specific vulnerabilities within Snowflake’s systems.
According to the Mandiant’s report(*) dated June 10, 2024, “…this cluster of activity [is tracked] as UNC5537, a financially motivated threat actor suspected to have stolen a significant volume of records from Snowflake customer environments. UNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims.
Mandiant’s investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake’s enterprise environment. Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials.”
The attackers exploited a zero-day vulnerability in Snowflake’s web application interface, which customers use for data management and analytics. This vulnerability allowed the attackers to perform SQL injection attacks, a common tactic where malicious SQL statements are inserted into an entry field for execution (e.g., to dump database contents to the attacker). This method allowed the attackers to elevate their privileges undetected and carry out data exfiltration activities seamlessly.
The SQL injections manipulated Snowflake’s systems into treating the attack actions as legitimate queries from authorized users. This stealth bypassed traditional detection methods that rely on spotting unusual access patterns, as the activities mimicked normal user behaviors.
These attacks were successful primarily due to three factors:
Snowflake’s response was swift and multifaceted. Initially, the focus was on patching the exploited vulnerability to prevent further incidents. This immediate response was followed by a comprehensive security audit and enhancement of their systems’ threat detection capabilities. Snowflake collaborated closely with affected clients and external cybersecurity experts to fortify their defenses, ensuring such vulnerabilities could be identified and mitigated more rapidly in the future.
Additionally, Snowflake took significant steps to improve their overall security architecture (**), including:
The Snowflake attacks had a ripple effect across the tech industry, prompting many organizations to reassess their cloud security strategies. These incidents highlighted potential risks in even the most secure cloud environments and underscored the need for continuous vigilance and improvement in cybersecurity measures.
Industry forums and regulatory bodies have since increased their focus on cloud security, with several new standards and best practices being developed as a direct response to these incidents. Additionally, there is a growing demand for more advanced security solutions that can preemptively identify and neutralize sophisticated cyber threats before they impact business operations.
As of today, the immediate threat from these specific Snowflake attacks has been mitigated, with no new breaches reported since the comprehensive security overhaul in late June 2024. However, the investigation remains active, with cybersecurity teams working to trace the origins of the attacks and understand the full scope of the compromise.
The identity of the attackers is still under investigation, though the sophistication and targeted nature of the breaches suggest the involvement of an organized cybercriminal group with advanced capabilities, possibly with financial or industrial espionage motives.
A Secure Access Service Edge (SASE) solution, such as the one by Timus Networks, could be a pivotal asset in preventing incidents like the Snowflake customer attacks. Here’s how SASE can enhance the security posture for organizations using cloud services:
The Snowflake customer attacks serve as a stark reminder of the persistent and evolving nature of cyber threats. They underscore the necessity for continuous enhancement of cybersecurity defenses and proactive threat hunting to protect sensitive data. For us at Timus Networks, these incidents reinforce the importance of our mission to provide resilient and cutting-edge security solutions that can adapt to the ever-changing threat landscape.
(*) UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion
June 10, 2024
(**) Detecting and Preventing Unauthorized User Access Update (6-10-24) by Brad Jones (Snowflake), and Detecting and Preventing Unauthorized User Access: Instructions June 10, 2024
Zero Trust. Adaptive Cloud Firewall. Secure Remote Access. In one.