Snowflake Attack 2024: How it happened & Key Lessons Learnt
In May, a hacker group started selling 560 million breached records of a company. Two days later, they began offering 30 million records of another company.
Immediately, one interesting connection emerged:
Both the breached companies had their data hosted on same cloud storage company (called 'Snowflake').
As more breaches emerged, they all had the same 'Snowflake' connection.
Attack flow of what everyone thought happened:
Attacker compromised Snowflake company > Accessed customer accounts > Breached customer data.
Attack flow what actually happened:
Attacker drops infostealers on employee devices of customer companies > Steals admin credentials > Uses those creds to access the customer’s Snowflake instance > Succeeds to login easily for Snowflake accounts that did not enable MFA >Exfiltrates data.
Eventually it is determined that 165 companies were impacted in this campaign!
A few key insights:
[1] Infostealers - the weapon that gives best ROI for attackers!
Infostealers are malware that steal credentials. Those creds are used further to gain access to enterprise systems.
Infostealers are low cost, high return investment. Anyone can buy one for 20$ and they are a guaranteed way of obtaining "live" passwords/tokens. This dynamic enables even relatively low-skilled actors to get involved.
Some of the credentials identified in this campaign were stolen several years back (but used now). This is why general security practices such as password rotation (although boring) are so important.
A few countermeasures (not an exhaustive list):
- Infostealers often masquerade as cracked or free versions of popular products over internet (more often as games software). Educating users about these scenarios is key to prevention.
- Enforce web browser updates and disallow browser-based credential storage.
- Monitoring dark web sources can provide valuable threat intelligence on the sale of data related to your company and user credentials. This enables timely and proactive containment actions to be taken.
- In the case of confirmed Infostealer infections, swift action is imperative. Take immediate steps to isolate the system from network. Invalidate the stolen credentials or tokens as rapidly as possible.
[2] It’s not just who can enter, but from where they can enter!
You can reduce a great amount of risk to your assets through conditional policies.
For ex, if your database is expected to be accessed only from certain locations or IP ranges, you should limit the access only from those locations.
The impacted Snowflake customer instances did not have network allow lists in place to only allow access from trusted locations.
Using network security groups, you could filter network traffic between various cloud resources. And that can save the day for you!
[3] The 'collective burden' of security in cloud
The problem is simple: If you host your data in somebody else's cloud, who is responsible for securing that data?
You or the cloud service provider?
The answer is BOTH. It's a shared responsibility.
A cloud provider should enable security controls at a platform level.
A cloud customer should implement security controls at an instance level.
In this case, the debate around this point revolved around turning on the MFA: is it a provider's or a customer's responsibility?
[4] If you do not want someone to commit a mistake, do not give them the chance to.
Everyone agrees on this:
Accessing millions of records of sensitive data with just username/password over internet is an easy kill for an attacker. That is the reason why this campaign against Snowflake customers succeeded.
And easiest way to create a speed bump for an attacker is to have an MFA.
For years, we tried the model of giving customers the choice of turning it ON. A good number of customers did, and it helped. But a good number of customers still do not (for various different reasons).
Should we leave the safety of the user up to the user?
With the growing cyber-attacks, MFA is now a baseline control. Most of the providers are already moving in the direction of making MFA mandatory everywhere.
Really concise report. Simple and easily articulated.
Rohit - A 3rd Snowflake breach AT&T after Ticketmaster ad Santander - https://uk.pcmag.com/security/153255/att-nearly-all-customer-phone-text-records-leaked-one-arrest-made