Targeted Identity-Based Attacks on Snowflake Customers: Potential Triggers and Response

Bar Refael

June 6, 2024

Cloud database giant Snowflake is investigating targeted identity-based attacks against some of its customers. These sophisticated attacks aim to exploit user credentials to gain unauthorized access to sensitive data stored in Snowflake’s cloud services.

Summary:

  • Nature of Attacks: Targeted identity-based attacks focusing on customer credentials.
  • Platform: Snowflake cloud database services.
  • Potential Impact: Unauthorized data access, potential data breaches, data exploitation.
  • Current Status: Under investigation by Snowflake.

Scenarios:

  1. Increased User Activity Preceding Suspicion of Campaign:
    • An observable increase in user activity might have been detected initially.
    • This increase led to the suspicion that a targeted campaign could be underway.
    • Implication: The campaign might have triggered users to proactively secure their accounts, leading to increased activity.
  2. Panic from Campaign Leading to Increased User Activity:
    • The initial suspicion or detection of a campaign caused panic among users.
    • As a result, users increased their activity to secure their accounts and data.
    • Implication: The panic and awareness from the suspected campaign caused a surge in security-related user activities.

Joint Statement on Investigation: 

On May 31st, 2024, Snowflake issued a joint statement with CrowdStrike and Mandiant stating that they are investigating a targeted campaign against Snowflake users with single-factor authentication.

There is no evidence to suggest vulnerabilities in Snowflake’s product or any data exfiltration caused by compromised credentials of a current or former Snowflake employee.

If you are a Snowflake customer, it’s important to read the company’s guidance on preventing unauthorized access and ensure your environment is properly configured and sufficiently monitored.

What does this mean for my organization? Given the importance of data stored in Snowflake databases and warehouses, compromised credentials can lead to significant data breaches.

Once an attacker has control of an identity in cloud-hosted applications, there is no perimeter. It’s essential to ensure that if an identity is compromised, there are additional lines of defense between the bad actor and your sensitive data.

Mitigation Steps:

  1. Enable Multi-Factor Authentication (MFA): Ensure all user accounts utilize MFA for added security.
  2. Regularly Rotate API and OAuth Keys: Keep credentials secure by rotating them frequently.
  3. Monitor Account Activities: Keep a close watch on account activities for any suspicious behavior.
  4. Security Audits: Conduct frequent security audits to identify potential vulnerabilities.
  5. Awareness and Training: Educate users about the risks and best practices for maintaining account security.

Snowflake has published a security bulletin with Indicators of Compromise (IoCs), investigative queries, and advice on securing accounts. According to the bulletin, customers should review their account activity, implement stricter security protocols, and follow recommended practices for API key management.

Identified Malicious IP Addresses:

104.223.91.28198.54.135.99184.147.100.29146.70.117.210198.54.130.153169.150.203.22
185.156.46.163146.70.171.99206.217.206.10845.86.221.146193.32.126.23387.249.134.11
66.115.189.247104.129.24.124146.70.171.112198.54.135.67146.70.124.21645.134.142.200
206.217.205.49146.70.117.56169.150.201.2566.63.167.147194.230.144.126146.70.165.227
154.47.30.137154.47.30.15096.44.191.140146.70.166.176198.44.136.56176.123.6.193
192.252.212.60173.44.63.11237.19.210.3437.19.210.21185.213.155.241198.44.136.82
93.115.0.49204.152.216.105198.44.129.82185.248.85.59198.54.131.152102.165.16.161
185.156.46.14445.134.140.144198.54.135.35176.123.3.132185.248.85.14169.150.223.208
162.33.177.32194.230.145.675.47.87.202194.230.160.5194.230.147.127176.220.186.152
194.230.160.237194.230.158.178194.230.145.7645.155.91.99194.230.158.107194.230.148.99
194.230.144.50185.204.1.17879.127.217.44104.129.24.115146.70.119.24138.199.34.144
185.248.85.14     

Additionally, connections from clients identifying as ‘rapeflake’ or ‘DBeaver_DBeaverUltimate’ running on Windows Server 2022 should be scrutinized, as they are known to be associated with data exfiltration.

Recommendations:

  1. Enforce MFA and SSO: Identify and isolate Snowflake users without MFA enabled, including users with elevated permissions.
  2. Identify Sensitive Data Exposure: Understand what actions users and groups can perform on critical data and where it is potentially overexposed.
  3. Audit Sensitive Data Access Activity: Audit trail to search for risky actions such as users dropping tables or performing queries to exfiltrate data.
  4. Check Network Access Policies: Create a policy to alert you whenever a Snowflake resource doesn’t have a network access policy set to limit who can connect to your Snowflake instance.
  5. Enable User Behavior Analysis: Use advanced, behavior-based threat detection on Snowflake logs.

Stay Secure. Stay Informed.

OP Innovate Research Team.

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Get OP Innovate CTI Alerts

Leave your email and get critical updates and alerts straight to your inbox