In recent months, a significant data breach involving Snowflake’s cloud storage customers has been reported. This incident has been linked to major data breaches at companies such as Ticketmaster and Santander Bank, among others.
This article from ITD Consulting provides a detailed examination of the Snowflake incident, the actors involved, and the security implications these attacks present.
Incident Background
Discovery and Initial Alert
Security researchers have reported the theft of a significant volume of data from hundreds of Snowflake customers. The security firm Mandiant, which is investigating the breach alongside Snowflake, announced it had traced the activity to a financial threat actor identified as UNC5537.
Since the discovery of this activity in April, the two companies have notified at least 165 organizations that could have been compromised.
Affected Companies
In addition to Snowflake, companies such as Ticketmaster, Santander Bank, and LendingTree subsidiary QuoteWizard have been affected. Details regarding how the accounts were compromised have been scarce, though it has been noted that there is no evidence to suggest that Snowflake's business environment was directly breached.
Methods of Compromise
Access Through Stolen Credentials
Mandiant revealed that the group UNC5537 had been systematically compromising Snowflake customers by using stolen login credentials obtained through historical infostealer malware infections on systems outside of Snowflake.
Some of these credentials date back to 2020, which allowed UNC5537 to steal data from Snowflake customer instances and either sell it on cybercrime forums or extort the victims.
Lack of Security Practices
The UNC5537 campaign has been successful due to poor security practices in the affected accounts. Many of these accounts did not update the stolen credentials or use multi-factor authentication (MFA) or network allowlists.
EPAM Systems Breach
According to hackers from the ShinyHunters group, some of the accesses were achieved by compromising the systems of a Belarusian provider working with the affected clients. This company, EPAM Systems, has denied any involvement in the leaks.
However, one of the hackers claimed to have used data found in an EPAM employee's system to access some Snowflake accounts.
Details of the EPAM Systems Attack
EPAM Systems is a software engineering and digital services company, publicly traded, and founded by Arkadiy Dobkin, who is from Belarus. The company has annual revenues of around $4.8 billion and employs 300 experienced workers skilled in using Snowflake's data analysis tools and services.
The hacker who spoke to WIRED claims that a computer belonging to one of EPAM's employees in Ukraine was infected with info-stealer malware (intended to steal credentials) through a spear-phishing attack. Once inside the EPAM employee’s system, the hacker installed a remote access Trojan that gave them full access to everything on the employee’s computer.
They found unencrypted usernames and passwords the employee used to query and manage Snowflake accounts for EPAM clients, including one for Ticketmaster.
The hacker claims the credentials were stored on the employee's machine in a project management tool called Jira. The hackers were able to exploit these credentials since they did not require multi-factor authentication (MFA).
Impact of Info-Stealer Malware
Info-stealers have proven to be an effective tool for cybercriminals. The ability of these tools to collect credentials and other sensitive data remains a significant threat.
Companies must be aware of the risks and take proactive measures to mitigate them. Mandiant stated that around 80% of the victims identified in the Snowflake campaign were compromised through credentials previously stolen and exposed by infostealers.
EPAM Systems' Response
EPAM has denied any involvement in the leaks and suggested that the hacker fabricated the story. The company maintains that it has found no evidence of being implicated after conducting a thorough internal investigation. EPAM claims to have robust security measures in place to protect its operations and customers.
Impact and Scope of the Theft
The data stolen from Santander included banking details for 30 million customers, including six million account numbers and balances, 28 million credit card numbers, and human resources information about staff.
This data was published by the hackers in a post on the internet. Other affected companies, such as LendingTree and Advance Auto Parts, have also stated that they could be victims, although they have not confirmed the details.
Credentials obtained by infostealers are often published on the internet or sold in hacker forums. If victims do not change their login credentials after an intrusion, they remain active and available for years.
This is particularly problematic if those credentials are reused across multiple accounts, as hackers can identify the user via the email address and, if the person reuses the same password, they can try those credentials across several sites.
Companies' Response
Snowflake's Actions
Snowflake has issued statements denying that its platform is directly responsible for the breaches. Snowflake’s Chief Information Security Officer, Brad Jones, acknowledged the need to implement mandatory multi-factor authentication measures to better protect customer accounts.
Ongoing Investigations
EPAM, for its part, has stated that it finds no evidence of being implicated in the leaks and suggests that the hackers' claims are fabricated. The company is conducting a thorough investigation into the matter.
Additional Measures
Snowflake is working to offer its customers the ability to require users of their accounts to use MFA by default in the future. This measure is crucial for improving account security and preventing similar attacks in the future.
Future of Security at Snowflake
Snowflake, along with Mandiant, is working to improve the security of its platform and its customers. The implementation of measures such as mandatory multi-factor authentication is a step in the right direction for Snowflake. However, companies also need to stay vigilant and adopt additional security practices to protect their data.
Lessons Learned
The data theft from Snowflake customers has highlighted significant weaknesses in companies' security practices and the vulnerability posed by the use of stolen credentials.
This incident with Snowflake should serve as a wake-up call for organizations to strengthen their security measures and adopt more robust strategies to protect their cloud data.
Collaboration between Snowflake, Mandiant, and other stakeholders will be crucial to preventing future incidents and ensuring that cloud storage environments are as secure as possible.
The industry must learn from this incident and take proactive measures to protect sensitive data in an increasingly digitalized world.
Recommendations to Improve Security
1. Implementation of Multi-factor Authentication
One of the most effective measures to improve account security is the implementation of multi-factor authentication (MFA). This adds an additional layer of security by requiring users to provide a second form of verification, such as a temporary code, in addition to their password.
2. Regular Credential Updates
It is crucial for companies to implement policies for regular credential updates. This includes changing passwords periodically and ensuring that compromised passwords are updated immediately after any security incident.
3. Continuous Security Monitoring and Auditing
Continuous monitoring and regular auditing of security are essential to detect and respond to threats in real-time. Companies should invest in security solutions that allow them to monitor access to their systems and detect suspicious activity.
4. Employee Security Training
Employee security training is fundamental. Employees should be aware of cyber threats and know how to protect themselves against them. This includes training on how to identify phishing attempts and other social engineering tactics.
5. Access Restriction
Companies should implement strict access policies, ensuring that employees only have access to the information and systems necessary to perform their tasks. The principle of least privilege helps to reduce the risk of internal breaches.
6. Implementation of Whitelisting
Implementing network whitelisting can help restrict account access to specific IP addresses. This measure can prevent unauthorized access even if credentials are compromised.
7. Security Assessments
Conducting periodic security assessments can help identify and address vulnerabilities in systems before they are exploited by attackers. These assessments can include penetration testing and security audits.
The data theft from Snowflake customers has highlighted significant weaknesses in companies' security practices and the vulnerability posed by the use of stolen credentials.
This incident with Snowflake should serve as a wake-up call for organizations to strengthen their security measures and adopt more robust strategies to protect their cloud data.
Collaboration between Snowflake, Mandiant, and other stakeholders will be crucial to preventing future incidents and ensuring that cloud storage environments are as secure as possible.
Cloud security is a shared responsibility between service providers and their customers. Both must work together to implement effective security measures and protect data against ever-evolving threats.
This incident at Snowflake should serve as a reminder of the importance of security and the need to always stay vigilant and proactive in protecting our data. If you want to learn more about cybersecurity measures for your company, email us at [email protected]. We have a cybersecurity team ready to assist you.
EN 
ES