Skip to content
All about technology.All about cybersecurity.

Customers victimsized by a series of attacks exploiting personal identities, dubbed as 'Snowflake incident'

Hackers may pose a significant threat to numerous prominent companies, as identified by cyber experts, due to the targeted assaults on Snowflake's client ecosystems.

 and  Administrator
3 min read
Customers faced identity-based cyber assault wave, leaving them as snowflakes
Customers faced identity-based cyber assault wave, leaving them as snowflakes

Customers victimsized by a series of attacks exploiting personal identities, dubbed as 'Snowflake incident'

Snowflake, the cloud-based data warehousing company, has issued a warning to its enterprise customers following a series of attacks that have targeted their accounts. The attacks, which have been ongoing since mid-April, have been linked to threat actors who opportunistically use stolen corporate credentials to compromise enterprises, steal data, deploy ransomware, and conduct multifaceted extortion.

In a bid to help companies investigate potential threat activity within their Snowflake customer accounts, Snowflake has provided indicators of compromise and additional recommended actions. The company has also stated that the malicious activity was not caused by compromised credentials of current or former employees.

The attacks appear to have been facilitated by inadequate identity and access controls. Many intrusions were the result of organizations configuring their Snowflake databases without requiring multi-factor authentication. This has left their accounts vulnerable to attack.

To mitigate risks post-attack, Snowflake advises enterprises to implement comprehensive audit logging and monitoring, set strict alert thresholds for unusual activity, automate security incident response, and harden authentication methods.

Specifically, they should enable Snowflake’s robust audit features to track “who did what, when, and how,” creating detailed audit trails to detect suspicious actions early. Building customized monitoring dashboards to visualize access patterns, role changes, unusual queries, and data transfers relevant to their environment can also facilitate proactive detection.

Defining normal behavior baselines and establishing alert thresholds for abnormal events such as multiple failed logins, off-hours access, and unusual data movement allows the system to notify administrators immediately. Configuring automated incident responses that can revoke sessions, pause jobs, or require additional authentication steps when suspicious activities are detected can reduce response time to threats.

Strengthening authentication through best practices such as multi-factor authentication (MFA), continuous auditing via Snowflake’s Trust Center, and preparing for upcoming mandatory Snowflake authentication enhancements to protect against credential theft and data exfiltration is also crucial.

Employing encryption, data governance policies, and continuous monitoring guided by Snowflake’s security best practices can help maintain a secure data environment.

The Australian Signals Directorate has also issued a high-alert advisory about increased cyberthreat activity relating to Snowflake customer environments. The threat activity originated from commercial VPN IP addresses.

CrowdStrike and Mandiant are assisting with the ongoing investigation into these attacks. Researchers at threat detection and incident response firm Mitiga have also made observations about the attacks in a Friday blog post.

Snowflake has promptly informed the limited number of customers who it believes may have been affected. The company has also advised organizations to immediately enforce MFA on all accounts and set up network policy rules to ensure authorized use and traffic from trusted locations.

Snowflake CISO Brad Jones stated that there is no evidence suggesting the activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform. Attackers have directly extorted organizations and further pressured victims by publicly posting stolen data for sale on the dark web.

Snowflake became aware of potentially unauthorized access to certain customer accounts on May 23, and the company has shared a link to a community forum post about the attack on the social platform X.

In conclusion, enterprises using Snowflake's cloud-based data warehouse should secure their accounts after attacks by following Snowflake's recommendations and adopting a modern security posture that includes awareness of evolving regulatory frameworks, leveraging AI-driven threat detection, and implementing the measures outlined above.

  1. Snowflake advises enterprises to implement multi-factor authentication (MFA) to harden their authentication methods, as many intrusions were the result of organizations not requiring MFA.
  2. Researchers at threat detection and incident response firm Mitiga have made observations about the attacks on Snowflake customer environments and shared them in a Friday blog post.
  3. Snowflake became aware of potentially unauthorized access to certain customer accounts on May 23, and the company has shared a link to a community forum post about the attack on the social platform X.
  4. Attackers have directly extorted organizations, and further pressured victims by publicly posting stolen data for sale on the dark web, according to Snowflake's CISO Brad Jones.

Read also:

    Related

    Latest

    Latest Updates in Autonomous Vehicles: Collaborations and Developments by Mercedes-Benz, Lenovo,...
    News

    Latest reports on Autonomous Vehicles: Collaboration announced between Mercedes-Benz, Lenovo, Innoviz, Waymo, and Kodiak in self-driving technology developments

    Autonomous and self-driving vehicle updates include Mercedes-Benz, Lenovo, Innoviz, Waymo, and Kodiak. Mercedez-Benz (MBZ) secures approval for Level 4 automated driving testing on designated urban roads and highways in Beijing, making it the initial international automaker to achieve such...

     and  Administrator