Identity-based cyber assaults target vulnerable clientele

Identity-based cyber assaults target vulnerable clientele

In recent weeks, a series of attacks have targeted Snowflake's enterprise customers, with potential unauthorized access to certain accounts traced back to mid-April. These attacks have been cause for concern, and Snowflake, along with cybersecurity firms like CrowdStrike and Mandiant, are working diligently to investigate and mitigate the threats.

According to Mandiant Consulting's CTO, Charles Carmakal, the threat actor appears to have obtained access to multiple organizations' Snowflake tenants by using credentials stolen through infostealing malware. The Australian Signals Directorate has issued a high-alert advisory about increased cyberthreat activity relating to Snowflake customer environments.

The attacks seem to be a targeted campaign directed at users with single-factor authentication. Snowflake's CISO, Brad Jones, has clarified that the malicious activity was not caused by compromised credentials of current or former employees. However, it was discovered that a threat actor had obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee. Fortunately, these demo accounts did not contain sensitive data.

To safeguard your Snowflake customer accounts, it is recommended to implement comprehensive data security measures. These include:

1. Enable comprehensive audit logging and monitoring: Establish detailed audit trails that track who accessed what data, when, and how, using Snowflake’s built-in robust audit features. Create custom dashboards to visualize access patterns, role changes, and unusual activity, and define alert thresholds for anomalies such as failed logins, off-hours access, and unusual data transfers.
2. Enforce least privilege access: Use automated tools to analyze complex role hierarchies and ensure users only have permissions necessary for their roles. Regularly review and adjust permissions to prevent overprovisioning and reduce attack surfaces.
3. Detect and respond to suspicious behavior: Implement behavioral baselines and anomaly detection to identify potential insider threats or compromised accounts. Configure automated security responses that can revoke sessions or require additional authentication immediately upon detection of suspicious activities.
4. Upgrade authentication methods: Migrate from password-only access to stronger authentication mechanisms like multi-factor authentication or Single Sign-On with a structured migration plan.
5. Utilize Snowflake’s security capabilities and governance best practices: Leverage Snowflake’s default security features and stay updated with recent innovations in AI governance and data protection to maintain data quality and compliance.
6. Adopt privacy-enhancing technologies for sensitive data collaboration: Use Data Clean Rooms or similar secure environments for sharing sensitive data between parties without exposing raw data, to maintain privacy and regulatory compliance during collaboration.

By following these recommendations, organizations can provide a layered, automated, and proactive approach to securing their Snowflake customer accounts against evolving threats.

Snowflake has also provided indicators of compromise and additional recommended actions for companies to investigate potential threat activity within their Snowflake customer accounts. The company has advised organizations to immediately enforce multifactor authentication on all accounts and set up network policy rules to ensure authorized use and traffic from trusted locations.

As the investigation continues, it is crucial for organizations to remain vigilant and proactive in securing their Snowflake customer accounts. Any SaaS solution that is configured without multifactor authentication is susceptible to being mass exploited by threat actors, as stated by Mandiant Consulting's CTO, Charles Carmakal.

[1] Source: Snowflake Security Best Practices - Audit Logging and Monitoring [2] Source: Snowflake Security Best Practices - Least Privilege Access [3] Source: Snowflake Security Best Practices - Authentication and Authorization [4] Source: Snowflake Security Best Practices - Data Governance [5] Source: Snowflake Security Best Practices - Data Sharing and Collaboration

1. The recent attacks on Snowflake's enterprise customers are suspected to be caused by infostealing malware, according to Mandiant Consulting's CTO, Charles Carmakal.
2. The incident response to the Snowflake attacks is being coordinated by Snowflake and cybersecurity firms like CrowdStrike and Mandiant, with the aim of investigating and mitigating the threats.
3. General-news outlets have reported a high-alert advisory issued by the Australian Signals Directorate about increased cyberthreat activity relating to Snowflake customer environments.
4. To strengthen cybersecurity measures, Snowflake recommends implementing comprehensive data security strategies, including enabling audit logging and monitoring, enforcing least privilege access, detecting and responding to suspicious behavior, upgrading authentication methods, utilizing Snowflake’s security capabilities, and adopting privacy-enhancing technologies for sensitive data collaboration.

Read also: