On 2 June 2024, Snowflake published a joint statement with CrowdStrike and Mandiant detailing their initial findings while investigating a campaign involving unauthorised access to Snowflake accounts. The statement clarified the scope of the campaign in contrast to previous independent reporting on the matter.
What Has Changed
- Based on currently available evidence, unauthorised access to demo accounts via an employee’s credentials is thought to be separate from the current stolen credential campaign impacting Snowflake customers.
- A separate infostealer campaign affecting Snowflake users directly appears to have targeted users without multi-factor authentication enabled.
- The primary source of claims around compromise of Snowflake silently removed their blog post on June 1, 2024 for unknown reasons.
- Snowflake found evidence that a threat actor obtained access to demo accounts belonging to a former Snowflake employee.
- Demo accounts are not connected to Snowflake’s production or corporate systems.
What Has Remained the Same
- Snowflake does not believe that they were the source of any compromised credentials in this campaign, nor do they have specific evidence of misconfiguration or vulnerabilities in their product leading to the compromise.
- Increased threat activity was observed around mid-April 2024 from a subset of IP addresses originating from providers of commercial VPN services.
- Snowflake has contacted the customers thought to be impacted by these activities.
- Mandiant has also reached out to some of the impacted organisations.
Recommendations
Enforce Multi-factor Authentication on all Snowflake Accounts
This campaign appears to target user accounts with single-factor authentication. Enforcing multi-factor authentication (MFA) on all Snowflake accounts will significantly limit the impact of this campaign.
To enable MFA and identify accounts that do not have MFA enabled, refer to Snowflake’s Knowledge Base Article here: https://community.snowflake.com/s/article/Identifying-Non-MFA-Users-and-Enabling-MFA
If Impacted, Reset and Rotate Snowflake Credentials
If you have been informed by Snowflake that your organisation was potentially impacted by this campaign, we strongly recommend resetting and rotating all credentials associated with your Snowflake accounts. This campaign leverages credentials previously obtained via infostealing malware, if credentials are not rotated or reset, threat actors can leverage them to obtain access to your Snowflake accounts in the future.
Note: Snowflake has provided specific guidance to ensure that unauthorised users are successfully disabled. See “Disabling Suspected Users” in the bulletin provided by Snowflake.
Follow Snowflake’s Recommended Steps
In their knowledge base article, Snowflake provided additional context on how to detect and prevent unauthorised user access. Highlights are listed below. For more details: https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information
Set up Network Policies
- Set up account-level and user-level Network Policies for highly credentialed users/service accounts.
Review Account Parameters
- Review account parameters to restrict how data can be exported from your Snowflake Account.
- Customers will need to do due diligence on enabling these features and their impacts on existing account integrations.
Review Account for Configuration Drift
- Monitor your Snowflake accounts for unauthorised privilege escalation or configuration changes.
Review Service Account Authentication
- For service accounts, use key pair authentication or OAuth for machine-to-machine communication in lieu of static credentials.
