IT Security

What Can We Learn From the Snowflake Attack? (Data Breach)

On May 31st, reports emerged about two data breaches impacting nearly 600 million individuals. Ticketing leader Ticketmaster and bank Santander revealed they were victims of extensive breaches, impacting 560 million and 30 million users respectively. Further investigations have revealed that threat actors executed precise attacks on these entities, exploiting vulnerabilities through Snowflake, the third-party SaaS cloud storage provider utilized by Ticketmaster and Santander.

Troy Beamer
Troy Beamer

For those who don’t know, Snowflake is a company that offers data storage and management to thousands of organisations worldwide. The cloud company also works with the Sydney Airport, the biggest in Australia, making the data breach even more concerning.

The situation has escalated so much that the Australian Cyber Security Centre and other countries’ agencies have begun raising alerts, warning Snowflake customers to take precautions.

This is the story of the Snowflake attack and how some missed steps caused what some are calling the biggest cyberattack in 2024.

Details on the Snowflake Data Breach Revealed

The recent breach involving Snowflake has brought several critical points to light, although specifics remain somewhat unclear:

  • A group of threat actors targeted organizations, exploiting vulnerabilities within their intricate systems.
  • Among the affected entities were Ticketmaster and Santander, both users of Snowflake’s third-party cloud database.
  • Shockingly, both companies had configured their Snowflake connections without multi-factor authentication (MFA), leaving only a stolen password standing between third-party applications and access to vast stores of sensitive personal data.
  • The threat actors gained entry using stolen passwords or credential stuffing, allowing them to quietly siphon off extensive amounts of data before the breaches were detected.

Following the disclosure of these breaches, blame and accountability quickly became contentious:

  • Ticketmaster and Santander initially blamed Snowflake for insufficient security measures, only for Snowflake to counter that the companies had neglected to implement MFA on their own databases.
  • HudsonRock’s postmortem added intrigue by highlighting Snowflake’s involvement, which led to its removal under unclear circumstances.
  • SEC filings pointed to a “third-party cloud database environment” as the source of the breaches, underscoring the regulatory implications for such incidents.

The issue of MFA emerged prominently:

  • Despite the widely recognised necessity of MFA in cybersecurity, its implementation remains inconsistent across sprawling application landscapes, complicating efforts to maintain robust security postures.
  • Threat actors exploit this vulnerability, targeting systems lacking MFA as an easy point of entry, circumventing the need for costly exploits or zero-day vulnerabilities.
  • Recent reports indicate Advanced Auto Parts falling victim to a similar breach via Snowflake, further highlighting the persistent risks associated with inadequate security configurations.

Snowflake, like other cloud vendors, emphasised a shared responsibility model:

  • They stressed that while they provide the infrastructure, customers bear the responsibility for adopting best security practices, including MFA.
  • Calls are growing for Snowflake and similar providers to impose stricter baseline security requirements, aligning with initiatives like CISA’s Secure By Design, which advocate for enhanced security measures at the vendor level.

Ultimately, the incident underscores ongoing challenges in cybersecurity:

  • Customers must remain vigilant in configuring robust security protocols, even as cloud providers continue to refine their offerings.
  • The evolving landscape demands proactive measures to fortify defenses against increasingly sophisticated threats, reflecting the crucial role of cybersecurity leadership in safeguarding sensitive data.

Snowflake Attack: Everything We Know So Far

The first signs of the breach occurred on April 14, when Mandiant, a cybersecurity firm working with Snowflake, detected suspicious activity in the company’s database records.

After a preliminary investigation, Mandiant discovered that unknown individuals were compromising the database, forcing them and Snowflake to notify their affected clients and make public statements. 

According to the report, the actors, or “UNC5537” (as Mandiant calls them), used credentials from one of Snowflake’s customers to enter unnoticed. Once inside the database, the group began exporting any data they could get their hands on.

So far, the attack has compromised a total of 165 organisations worldwide. However, the number could grow in the future since the investigations are still on course.

Single Snowflake Account Confirmed as Compromised

Snowflake has confirmed that credentials of a single former employee were compromised by a threat actor, who subsequently accessed demo accounts associated with those credentials.

According to Snowflake, these demo accounts did not contain “sensitive” data and were segregated from production and corporate systems.

Unlike Snowflake’s core systems, which benefit from Okta and Multi-Factor Authentication (MFA) protections, these dormant demo accounts lacked such safeguards.

What remains unclear is whether the threat actor managed to access Snowflake’s ServiceNow using the same employee’s credentials, as claimed. Snowflake has neither confirmed nor explicitly denied this assertion to our knowledge.

Who Are the Culprits?

Until now, Snowflake hasn’t revealed their attacker’s identity. However, many have pointed out ShinyHunters (a famous hacker group) as the culprits, linking the event with other recent breaches that occurred to Ticketmaster and Santander. 

Hudson Rock, a known cybersecurity firm, reported that the hacker group used Snowflake credentials to access both companies. However, they later removed the report at the request of Snowflake’s legal team, which denied any connection between the incidents.

How This Attack Could’ve Been Prevented?

According to Mandiant, Snowflake’s data breach resulted from various human errors and not so much the tinkering of some genius hacker. 

The firm mentions in its report that UNC5537 used stolen credentials from a customer to access Snowflake’s database. Since the account didn’t have any sort of extra authentication, neither the customer nor the company knew anything until the damage was already done.

So, to put it simply, the Snowflake attack could have been easily prevented by changing the password regularly and adding two-factor authentication to the login.

The Most Important Lessons

The Snowflake attack shows that not even the biggest companies are safe from their customers’ security errors and how much damage a stranger can do with stolen information. 

Also, as Mandiant mentioned in their report, it’s important to monitor the computer regularly and look for viruses, especially if it’s used for work. Otherwise, it could become the very entrance criminals needed to that company or organisation.

In an era where everyone shows a bit of themselves through social media and other websites, it’s crucial to learn how to remove that information from the internet, as many malicious groups could use it to wreak havoc on companies or other people’s lives.

What We Don’t know

  • The threat actor claimed that they were also able to log into Snowflake’s ServiceNow using this employee’s credentials. This has not been confirmed by Snowflake or explicitly refuted to our knowledge.
  • Whether any other snowflake employee’s have been obtained by similar methods?
  • What definition of “sensitive” data was used to determine whether the demo accounts contained “sensitive” data?

According to Ian Gray, the vice president of intelligence at security company Infostealers have become more popular because they’re in high demand and pretty easy to create.

“Flashpoint. Hackers have been seen to be copying or modifying existing infostealers and selling them on for as little as $10 for all the login details, cookies, files, and more from one infected device.” says Gray

“This malware can be delivered in different ways and targets sensitive info like browser data (cookies and credentials), credit cards, and crypto wallets,”

“Hackers might comb through the logs for enterprise credentials to break into accounts without permission.” he said.

While the exact source of the alleged data breaches is unclear, the incident highlights how interconnected companies can be when relying on products and services from third-party providers

Meanwhile a post from Snowflake says, “To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product,”

“Throughout the course of our ongoing investigation, we have promptly informed the limited number of customers who we believe may have been impacted.”

Overall, the Snowflake Attack serves as a significant case study in cybersecurity, privacy protection, and crisis management in the digital age. It underscores the interconnectedness of online platforms and the importance of maintaining trust and security within digital communities.

By Troy Beamer
A technologist from the United States. Troy has worked with several major financial organisations implementing IBM mainframes and reports for TBN as it's U.S correspondent
Previous Article How many people still read blogs in 2024? Do People Still Read Blogs? What You Need To Know
Next Article Aussie app Zown is pioneering a safer, more positive digital world for Gen Alpha with AI technology Aussie App Zown Is Pioneering A Digital World For Gen Alpha With AI Technology
Snow Flak what we can learn

Tech Articles

Attitudes Toward Work Manifest The Rise of AI

Did Our Collective Attitudes Toward Work Manifest The Rise of Artificial Intelligence? (AI)

It’s definitely something to think about. There’s a fine line…

AI Fatigue - Artificial Intelligence Feels Like A Broken Record

AI Fatigue: Why The Buzz Around Artificial Intelligence Sounds Like A Broken Record

The endless cycle of AI announcements has gone from exciting…

Private Proxy List - The Pirate Bay Download Index

Private Proxy – The Pirate Bay Searchable Online Index For Free Downloads

A private proxy, or personal proxy server, is used exclusively…