
Threat Alert: Critical Security Breach Involving Snowflake Cloud Platform
A significant data breach involving the Snowflake cloud storage platform has led to unauthorized access to information from multiple organizations, including Ticketmaster, Anheuser-Busch, Allstate, Advance Auto Parts, Mitsubishi, Neiman Marcus, Progressive, Santander Bank, and State Farm. The breach was perpetrated by a notorious hacking group, who used compromised credentials to access customer data.
Details:
- Incident Description: The breach was facilitated through compromised credentials and lack of Multi-Factor Authentication (MFA) on certain Snowflake customer and demo accounts.
- Impact: Over 560 million user records from Ticketmaster alone, with a total of approximately 400 organizations potentially affected. Sensitive customer and employee data from Santander Bank in Chile, Spain, and Uruguay were also compromised.
- Method of Attack: Attackers utilized credentials obtained through info-stealing malware and possibly credential stuffing. A former Snowflake employee's credentials were also compromised, which were used to access demo accounts.
- Ransom Demand: Attackers have demanded $20 million from Snowflake and $500,000 for the Ticketmaster data.
- Snowflake's Response: Snowflake has acknowledged the breach, attributing it to compromised customer accounts rather than a vulnerability within their platform. They are working to inform and assist affected customers.
Quadrant's Recommendations for our XDR Clients
Immediate Actions:
- Enable Multi-Factor Authentication (MFA): Ensure MFA is enabled on all accounts to prevent unauthorized access.
- Monitor for Indicators of Compromise (IoCs): Utilize provided IoCs to detect suspicious activities on your accounts.
- Reset Compromised Credentials: Promptly reset credentials for all affected or potentially affected accounts.
- Disable Inactive Accounts: Review and disable any accounts that are no longer active to minimize attack surface.
Long-term Mitigations:
- Enhance Authentication Methods: Consider implementing stronger authentication methods beyond single-factor authentication.
- Regular Security Audits: Conduct regular audits of your security posture, focusing on cloud storage environments and third-party integrations.
- Employee Training: Train employees on the importance of cybersecurity practices, including the use of MFA and recognizing phishing attempts.
What Quadrant is doing for our clients: Our Threat Hunting team, detection engineering team, and Security Operations Center analysts have added IP addresses associated with the breach into our Bluedot Threat Intelligence database, which will alert the SOC to any traffic going to those IP addresses, along with existing detections that are used for monitor for credential based attacks.
Conclusion:
The Snowflake breach underscores the critical importance of robust security measures, particularly in cloud storage environments. Ensure all necessary actions are taken to protect your data and systems from similar threats. Stay vigilant and promptly implement the recommended mitigations to safeguard against future attacks. For further assistance or to report any suspicious activity, please contact our security operations center immediately.
