Snowflake breaches 2024: a cybersecurity gap

Not a Snowflake's chance

2024-12-20

Over the last few months, WhiteBlueOcean have been monitoring various high-profile attacks being carried out that are all tied together with one constant thread; the data cloud provider Snowflake Inc. (headquartered in Montana, USA). The chain of events contains echoes of 2023’s MoveIt incident, which WhiteBlueOcean have recently published an article on, albeit with a smaller number of known victims at this stage.

Who are Snowflake?

Snowflake Inc. provide high volume cloud based data storage to companies, enabling low latency access to multiple data points and greater reporting and querying abilities than traditional data infrastructure. Founded in 2012, the company now serves almost 700 customers from the Forbes Global 2000 (and almost 10,000 customers in total), it has now grown to offer a swath of services relating to data storage and analytics.

What happened?

In late May 2024 databases belonging to Santander bank and Ticketmaster appeared for sale on underground forums priced, at the time, for $2,000,000 and $500,000 respectively. Whilst these prices may appear extremely high, the contents of these databases justified the asking price; the Santander allegedly contained information on 30 million customers while the Ticketmaster breach was said, by the hackers, to contain data relating to 560 million customers.

A now-deleted report from security intelligence provider Hudson Rock (due to legal pressure levied by Snowflake, per Hudson Rock), showed screenshots from a conversation, claiming to be between the hacker and a Hudson Rock researcher. Within this chat it was claimed , acquired from an infostealer (infostealers are a family of that, as the name suggests, will extract login credentials from an infected device and report them back to the behind the infection); the alleged conversation also showed screenshots purporting to show over 2,000 instances that the hacker had access to via these credentials. A final note on this alleged conversation shows the hacker had intent to blackmail Snowflake with a $20,000,000

In the days and weeks following, more and more high value databases popped up for sale across various underground forums. Whilst the initial breaches were claimed by the notorious ShinyHunters (who have a long history of hacking, extortion and data exposure – former victims include Cognizant and Bombardier), later breaches were offered by other actors (such as Sp1d3r, also known as SpiderHunters). The known list of victims includes (but is not limited to):

Santander Bank
Ticketmaster
Neiman Marcus
AT&T
Advance Auto Parts
Los Angeles Unified Schools District

Snowflake have consistently denied that these breaches were caused by access into their database through credentials belonging to one of their staff or contractors. The alleged credentials discussed in the now-expunged Hudson Rock article were for a demo environment that did not have access to the production database. In early June a joint statement was issued by Snowflake and cyber security firms CrowdStrike and Mandiant denying that the root cause of the breaches was an underlying vulnerability in Snowflake’s products nor compromised staff credentials.

If not Snowflake, then who?

If the breaches did not, then, originate from a breach of Snowflake’s own systems, we must ask how exactly this flurry of activity affected so many users of Snowflake’s product in such a relatively short time frame.

It would appear that hundreds of credentials, if not more, giving access to Snowflake data pools (belonging to individual companies) have been gathered by stealer malware over the last few years. Per Mandiant, the first stealer log that they have on record as containing Snowflake access credentials dates back to 2020. as the data it gathers on a potential victim is very rich. WhiteBlueOcean published an article on the topic of Stealer Logs in April 2024 if further reading is desired.

In terms of policy issues, it seems that there were implementation issues at play too. Snowflake, as a service, did not at the time enforce multi-factor authentication as default (in fact, this is only being enforced as a policy to new users from October 2024). It was also not possible for administrators to apply a blanket policy to users across their company, instead each user would have needed to manually implement MFA for their own login (which many often did not for the sake of convenience).

Further to this, poor password hygiene added fuel to the fire. Mandiant observed that many of the credentials they observed in older stealer log files were still valid, meaning that passwords had not been updated by users for a very long time.

These factors seem to have culminated in threat actors such as ShinyHunters realising that these credentials would allow easy access to huge amounts of data with very little getting in the way of extracting their ill-gotten games. There is no singular specific point of failure that can be identified as the root cause overall. Snowflake are taking steps to implement changes in their systems to enforce stricter security policies. Information security teams across the world continue their efforts to educate staff in the importance of a good security posture, but human nature often wins out.

What are the takeaways?

Multi factor authentication should always be implemented where possible as a second line of security
Regularly updating passwords is a must
If using a third part service provider, take care to integrate properly with a security first approach
Infostealers are proving to be a huge risk vector

Reference list:

https://www.snowflake.com/en/blog/multi-factor-identification-default/

https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion

https://www.theregister.com/2024/06/04/snowflake_report_pulled/

https://blog.talosintelligence.com/infostealer-landscape-facilitates-breaches/

https://www.cm-alliance.com/cybersecurity-blog/snowflake-ticketmaster-santander-breaches-a-live-timeline

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.

Related news

RDoS: adding the Ransom element to DoS

2022-05-25

In a continuous effort to find new techniques to extort money from targets, cybercriminals have conceived a new and more aggressive version of the popularised Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. This type of attack, named Ransom Denial of Service (RDoS), first appeared in 2016, but made a comeback in 2020 and 2021, taking advantage of the ever-increasing number of interconnected devices, and of the remote working arrangements caused by Covid-19.

The dangers of VPN credential leaks

2022-07-22

The increased reliance on VPNs made the latter an attractive target to cybercriminals. In particular, threat actors began exploiting one of the known weakest links in the chain: users’ passwords.

2020 FireEye Breach

2020-12-22

On the 8 December 2020, prominent US-based cybersecurity company FireEye announced on its blog that they had been the victims of a cyber-attack. The nature of the attack has led to experts to theorise that it was carried out by a state-sponsored hacking group, currently believed to be Cozy Bear (also known as APT29).

Juspay Data Breach

2021-01-15

A statement released by Juspay on 5th January 2021 confirms that the Indian-based company has been the target of a cyberattack resulting in a large-scale data breach.

Why phishing emails contain errors?

2022-05-04

You have probably noticed that all the phishing mails are poorly written and some details may let us think they are somewhat unprofessional. Find out why.

Data privacy and security in the healthcare sector | White Blue Ocean Blog

Data privacy and security in the healthcare sector: medical firm Dedalus fined €1.5 million for data breach

2022-06-20

At the end of April 2022, the CNIL, the data protection authority for France, announced it had imposed a fine of €1.5 million on the medical software provider Dedalus Biology, following a significant leak of patients’ data.

Top 5 Ransomware Attacks of 2022

2023-01-16

Ransomware attacks show no signs of slowing down. Discover 5 of the most severe attacks that occurred in 2022.

Cyber Resilience: Checklist for Organizations

2024-11-08

As cyber criminals develop new tactics, companies must strengthen their defenses. This guide provides a list of essential cybersecurity practices to protect businesses against data breaches, ransomware and other online risks.

2023 Cybersecurity Threats and Trends

2023-07-05

is perpetrated. In this article, we will take you through some key points which illustrate the direction that cybercrime is taking. This might help to inform users about the types of attacks we can expect throughout the rest of 2023.

Intel 471 Issues a Warning on RansomHub

2024-10-10

In September 2024, Intel 471's 'HUNTER', a threat detection platform, issued a widespread warning to their mailing list regarding a surge in attacks led by RansomHub, a Ransomware-as-a-Service (RaaS) operator with an apparent focus on businesses operating in Europe and North America. Discover how they recruit skilled hackers to target different types of business organizations and learn defence tecniques.

Twitter data breach: exposed the data of 5.4 million accounts

2022-09-15

In late July 2022, Twitter confirmed that it had suffered a data breach, after a threat actor appeared in a popular underground forum selling the data of 5.4 million Twitter users. Read more

How Bad Actors Begin

2023-08-02

There is a clear path of progression for a bad actor to go from unknown and uninvolved, to standing shoulder to shoulder with the internet's most sophisticated criminals. In this article we attempt to answer the question of how bad actors are made.

Let's talk

Please fill in the form below (fields with * are mandatory) and we will respond to your request as soon as possible!

I agree with the Privacy Policy