An ongoing controversy has arisen regarding the security of cloud-based data storage and analytics company Snowflake, with conflicting claims regarding whether the company itself has been compromised or if only their customers’ accounts and databases have been affected. This uncertainty has created confusion and concern among organizations that rely on Snowflake for their data management needs.
Snowflake, a US-based company with a wide customer base of nearly 9,500 organizations worldwide, offers a cloud-based data warehousing solution that allows enterprises to store, transform, and analyze data using SQL. While Snowflake manages the infrastructure, customers are responsible for implementing security measures such as role-based access control, data governance policies, and monitoring activities using auditing features provided by Snowflake.
Recently, researchers at Mitiga uncovered a threat actor group known as UNC5537 that has been exploiting vulnerabilities in Snowflake environments lacking two-factor authentication. The group has been stealing data from organizations using the platform and attempting to extort them by threatening to release the stolen data on hacker forums. Snowflake’s VP of Information Security and CISO, Brad Jones, confirmed unauthorized access to customer accounts and attributed the attacks to stolen user credentials, rather than any security vulnerabilities within the Snowflake product.
However, cybersecurity firm Hudson Rock claims to have spoken with the threat actor responsible for the attacks, who alleges that they were able to breach Snowflake by infecting an employee’s device with an infostealer and obtaining credentials to access Snowflake’s servers. The threat actor claims to have exfiltrated massive amounts of data from the company and attempted to extort $20,000,000 from Snowflake. This revelation has raised concerns about the extent of the breach and the potential impact on other companies that may have been affected.
In response to these security incidents, Snowflake has provided guidance to administrators on identifying indicators of compromise, detecting unauthorized access, and implementing remediation measures to secure their databases. Mitiga has also offered advice on leveraging Snowflake’s logs for threat hunting and recommended best practices such as enforcing single sign-on and multi-factor authentication.
As the situation continues to unfold, organizations using Snowflake are urged to remain vigilant and take proactive steps to secure their data and prevent future attacks. The conflicting claims surrounding the Snowflake security breaches highlight the ongoing challenges faced by businesses in safeguarding their sensitive information in an increasingly digital and interconnected world.