Update on Snowflake Cyber Threat
Friday, June 14, 2024
Snowflake Cyber Threat Activity
Print Mail Download i

On June 2, 2024, cloud service provider Snowflake reported increased cyber threat activity targeting some of its customer’s accounts. Snowflake recommended that customers review unusual activity to detect and prevent unauthorized user access.

The Cybersecurity and Infrastructure Agency (CISA) then sent an alert on June 3, 2024, recommending that Snowflake customers “hunt for malicious activity, report positive findings to CISA, and review the Snowflake notice” on steps to take.

On June 10, 2024, Mandiant provided additional information about the incident. If you are a Snowflake user, the Mandiant Alert is a mandatory read. According to Mandiant, it identified a campaign by threat actor UNC5537, targeting “Snowflake database instances with the intent of data theft and extortion.” The threat actor is suspected of having stolen records from Snowflake customers using stolen customer credentials and subsequently advertised the sale of customer data attempting to extort Snowflake customers. Mandiant has not found any evidence of a breach of Snowflake’s environment, but instead, the incidents stemmed from stolen customer credentials to access Snowflake’s system, in one instance, using infostealer malware. The credentials used by the threat actor were “available from historical infostealer infections, some of which data as far back as 2020.”

The three factors that allowed a successful compromise included:

1. The impacted accounts were not configured with multi-factor authentication enabled, meaning successful authentication only required a valid username and password.

2. Credentials identified in infostealer malware output were still valid, in some cases years after they were stolen, and had not been rotated or updated.

3. The impacted Snowflake customer instances did not have network allow lists in place to only allow access from trusted locations.

Snowflake users may wish to confirm that these three factors are not applicable to them, and if so, take measures to address them.

According to Mandiant, it and Snowflake have notified 165 “potentially exposed organizations,” and Snowflake is working with customers to mitigate a potential compromise.

Google/Mandiant provided a helpful threat intelligence collection of indicators of compromise, which is worth a scan.

Copyright © 2024 Robinson & Cole LLP. All rights reserved.

Current Public Notices

Current Legal Analysis

More from Robinson & Cole LLP

Privacy Tip #401 – Cyberattack Against TikTok Targeted Brands and Celebrities
by: Linn F. Freedman
US Department of Labor’s Office of Federal Contract Compliance Offers AI Guidance for Government Contractors and Other Employers
by: Sean C. Griffin
New Texas Supreme Court Decision Highlights Several Defense Strategies for Defeating Class Certification
by: Wystan M. Ackerman
DOJ Announces $1.3 Million Settlement Involving a Laboratory Marketer, Physicians, and the Physicians’ Medical Practices
by: Danielle H. Tangorre , Erin C. Turkis
Department of Justice National Security Division Announces First-of-Its-Kind Declination under Its Voluntary Self-Disclosure Program
by: David E. Carney , Kevin P. Daly
NISTS Offers AI Governance Guideline to Help Avoid Bias Liability
by: Sean C. Griffin
UK Privacy Watchdog Probes Microsoft’s Controversial “Recall” Feature
Proofpoint Survey Outlines Challenges for CISOs
by: Linn F. Freedman

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins